U.S. patent application number 13/520491 was filed with the patent office on 2012-12-20 for proxy calculation system, proxy calculation method, proxy calculation requesting apparatus, and proxy calculation program and recording medium therefor.
This patent application is currently assigned to Nippon Telegraph and Telephone Corporation. Invention is credited to Tetsutaro Kobayashi, Go Yamamoto.
Application Number | 20120323981 13/520491 |
Document ID | / |
Family ID | 44304266 |
Filed Date | 2012-12-20 |
United States Patent
Application |
20120323981 |
Kind Code |
A1 |
Yamamoto; Go ; et
al. |
December 20, 2012 |
PROXY CALCULATION SYSTEM, PROXY CALCULATION METHOD, PROXY
CALCULATION REQUESTING APPARATUS, AND PROXY CALCULATION PROGRAM AND
RECORDING MEDIUM THEREFOR
Abstract
A function f(x) is calculated with a calculating apparatus that
makes a correct calculation with a low probability. Provided that G
and H are cyclic groups, f is a function that maps an element x of
the group H into the group G, X.sub.1 and X.sub.2 are random
variables whose values are elements of the group G, x.sub.1 is a
realized value of the random variable X.sub.1, and x.sub.2 is a
realized value of the random variable X.sub.2, an integer
calculation part calculates integers a' and b' that satisfy a
relation a'a+b'b=1 using two natural numbers a and b that are
relatively prime. A first randomizable sampler is capable of
calculating f(x).sup.bx.sub.1 and designates the calculation result
as u. A first exponentiation part calculates u'=u.sup.a. A second
randomizable sampler is capable of calculating f(x).sup.ax.sub.2
and designates the calculation result as v. A second exponentiation
part calculates v'=v.sup.b. A determining part determines whether
u'=v' or not. A final calculation part calculates u.sup.b'v.sup.a'
in a case where it is determined that u'=v'.
Inventors: |
Yamamoto; Go; (Tokyo,
JP) ; Kobayashi; Tetsutaro; (Tokyo, JP) |
Assignee: |
Nippon Telegraph and Telephone
Corporation
Chiyoda-ku
JP
|
Family ID: |
44304266 |
Appl. No.: |
13/520491 |
Filed: |
January 11, 2011 |
PCT Filed: |
January 11, 2011 |
PCT NO: |
PCT/JP11/50278 |
371 Date: |
July 3, 2012 |
Current U.S.
Class: |
708/250 |
Current CPC
Class: |
H04L 9/008 20130101;
H04L 2209/76 20130101; H04L 2209/46 20130101; H04L 9/3066 20130101;
H04L 9/30 20130101 |
Class at
Publication: |
708/250 |
International
Class: |
G06F 7/58 20060101
G06F007/58 |
Foreign Application Data
Date |
Code |
Application Number |
Jan 12, 2010 |
JP |
2010-003924 |
Jan 18, 2010 |
JP |
2010-007835 |
Claims
1. A proxy calculation system, comprising: an integer calculation
part that calculates integers a' and b' that satisfy a relation
a'a+b'b=1 using two natural numbers a and b that are relatively
prime; a first randomizable sampler that is capable of calculating
f(x).sup.bx.sub.1 and designates the calculation result as u; a
first exponentiation part that calculates u'=u.sup.a; a second
randomizable sampler that is capable of calculating
f(x).sup.ax.sub.2 and designates the calculation result as v; a
second exponentiation part that calculates v'=v.sup.b; a
determining part that determines whether u'=v' or not; and a final
calculation part that calculates u.sup.b'v.sup.a' in a case where
it is determined that u'=v', where G and H are cyclic groups, f is
a function that maps an element x of the group H into the group G,
X.sub.1 and X.sub.2 are random variables whose values are elements
of the group G, x.sub.1 is a realized value of the random variable
X.sub.1, and x.sub.2 is a realized value of the random variable
X.sub.2.
2. The proxy calculation system according to claim 1, further
comprising: a sampler that is capable of calculating f(x)x.sub.3,
where X.sub.3 is a random variable whose value is an element of the
group G and x.sub.3 is a realized value of the random variable
X.sub.3, performs the calculation instead of said second
randomizable sampler and designates the calculation result as said
v when a=1, and performs the calculation instead of said first
randomizable sampler and designates the calculation result as said
u when b=1.
3. The proxy calculation system according to claim 1, wherein said
first randomizable sampler comprises a first random number
generating part that generates a random number r.sub.1 that is an
integer equal to or greater than 0 and smaller than K.sub.H, a
first input information calculating part that calculates first
input information .mu..sub.h.sup.r1x.sup.b, a first output
information calculating part that is capable of calculating
f(.mu..sub.h.sup.r1x.sup.b) using said first input information
.mu..sub.h.sup.r1x.sup.b and designates the calculation result as
first output information z.sub.1, and a first calculating part that
calculates z.sub.1.nu..sup.-r1 and designates the calculation
result as said u, and said second randomizable sampler comprises a
second random number generating part that generates a random number
r.sub.2 that is an integer equal to or greater than 0 and smaller
than K.sub.H, a second input information calculating part that
calculates second input information .mu..sub.h.sup.r2x.sup.a, a
second output information calculating part that is capable of
calculating f(.mu..sub.h.sup.r2x.sup.a) using said second input
information .mu..sub.h.sup.r2x.sup.a and designates the calculation
result as second output information z.sub.2, and a second
calculating part that calculates z.sub.2.nu..sup.-r2 and designates
the calculation result as said v, where said f is a homomorphism,
.mu..sub.h is a generator of the group H, K.sub.H is an order of
the group H, and .nu.=f(.mu..sub.h).
4. The proxy calculation system according to claim 3, further
comprising: a sampler that comprises a third random number
generating part that generates a random number r.sub.3 that is an
integer equal to or greater than 0 and smaller than K.sub.H, a
third input information calculating part that calculates third
input information xr.sup.r3, a third output information calculating
part that is capable of calculating f(x.sup.r3) using said third
input information x.sup.r3 and designates the calculation result as
third output information z.sub.3, and a third calculating part that
calculates z.sub.3.sup.1/r3 instead of said second randomizable
sampler and designates the calculation result as said v when a=1
and calculates z.sub.3.sup.1/r3 instead of said first randomizable
sampler and designates the calculation result as said u when
b=1.
5. The proxy calculation system according to claim 1, wherein said
first randomizable sampler comprises a fourth random number
generating part that generates a random number r.sub.4 that is an
integer equal to or greater than 0 and smaller than K.sub.G, a
fifth random number generating part that generates a random number
r.sub.5 that is an integer equal to or greater than 0 and smaller
than K.sub.G, a fourth input information calculating part that
calculates fourth input information
c.sub.1.sup.bV.sup.r4.mu..sub.g.sup.r5, a fifth input information
calculating part that calculates fifth input information
c.sub.2.sup.bW.sup.r4, a fourth output information calculating part
that is capable of calculating
f(c.sub.1.sup.bV.sup.r4.mu..sub.g.sup.r5, c.sub.2.sup.bW.sup.r4)
using said fourth input information
c.sub.1.sup.bV.sup.r4.mu..sub.g.sup.r5 and said fifth input
information c.sub.2.sup.bW.sup.r4 and designates the calculation
result as fourth output information z.sub.4, and a fourth
calculating part that calculates z.sub.4Y.sup.-r4.mu..sub.g.sup.-r5
and designates the calculation result as said u, and said second
randomizable sampler comprises a sixth random number generating
part that generates a random number r.sub.6 that is an integer
equal to or greater than 0 and smaller than K.sub.G, a seventh
random number generating part that generates a random number
r.sub.7 that is an integer equal to or greater than 0 and smaller
than K.sub.G, a sixth input information calculating part that
calculates sixth input information
c.sub.1.sup.aV.sup.r6.mu..sub.g.sup.r7, a seventh input information
calculating part that calculates seventh input information
c.sub.2.sup.aW.sup.r6, a fifth output information calculating part
that is capable of calculating
f(c.sub.1.sup.aV.sup.r6.mu..sub.g.sup.r7, c.sub.2.sup.aW.sup.r6,
using ing said sixth input information
c.sub.1.sup.aV.sup.r6.mu..sub.g.sup.r7 and said seventh input
information c.sub.2.sup.aW.sup.r6 and designates the calculation
result as fifth output information z.sub.5, and a fifth calculating
part that calculates z.sub.5Y.sup.-r6.mu..sub.g.sup.-r7 and
designates the calculation result as said v, where the group
H=G.times.G, said f is a homomorphism, .mu..sub.g is a generator of
the group G, K.sub.G is an order of the group G, x=(c.sub.1,
c.sub.2), (V, W) is an element of the group H, and f(V, W)=Y.
6. A proxy calculation method, comprising: an integer calculation
step in which an integer calculation part calculates integers a'
and b' that satisfy a relation a'a+b'b=1 using two natural numbers
a and b that are relatively prime; a first randomizable sample
extracting step in which a first randomizable sampler capable of
calculating f(x).sup.bx.sub.1 designates the calculation result as
u; a first exponentiation step in which a first exponentiation part
calculates u'=u.sup.a; a second randomizable sample extracting step
in which a second randomizable sampler capable of calculating
f(x).sup.ax.sub.2 designates the calculation result as v; a second
exponentiation step in which a second exponentiation part
calculates v'=v.sup.b; a determination step in which a determining
part determines whether u'=v' or not; and a final calculation step
in which a final calculation part calculates u.sup.b'v.sup.a' in a
case where it is determined that u'=v', where G and H are cyclic
groups, f is a function that maps an element x of the group H into
the group G, X.sub.1 and X.sub.2 are random variables whose values
are elements of the group G, x.sub.1 is a realized value of the
random variable X.sub.1, and x.sub.2 is a realized value of the
random variable X.sub.2.
7. A requesting apparatus, comprising: an integer calculation part
that calculates integers a' and b' that satisfy a relation
a'a+b'b=1 using two natural numbers a and b that are relatively
prime; a first exponentiation part that calculates u'=u.sup.a using
a calculation result u from a first randomizable sampler that is
capable of calculating f(x).sup.bx.sub.1, a second exponentiation
part that calculates v'=v.sup.b using a calculation result v from a
second randomizable sampler that is capable of calculating
f(x).sup.ax.sub.2; a determining part that determines whether u'=v'
or not; and a final calculation part that calculates
U.sup.b'v.sup.a' in a case where it is determined that u'=v', where
G and H are cyclic groups, f is a function that maps an element x
of the group H into the group G, X.sub.1 and X.sub.2 are random
variables whose values are elements of the group G, x.sub.1 is a
realized value of the random variable X.sub.1, and x.sub.2 is a
realized value of the random variable X.sub.2.
8. A proxy calculation system that calculates .theta.(g, h) using a
result of a calculation performed by a calculating apparatus in
response to a request from a requesting apparatus, wherein said
requesting apparatus comprises: a first random number generating
part that generates a random number r.sub.1 that is an integer
equal to or greater than 0 and smaller than K.sub.G; a second
random number generating part that generates a random number
r.sub.2 that is an integer equal to or greater than 0 and smaller
than K.sub.H; a first input information calculating part that
calculates first input information g.sub.1=.mu..sub.g.sup.r1g; a
second input information calculating part that calculates second
input information h.sub.1=.mu..sub.h.sup.r2; a first list
information calculating part that calculates z.sub.1.nu..sup.-r1r2
using z.sub.1.epsilon.F received from said calculating apparatus; a
first list storage part that stores an information set (r.sub.2,
z.sub.1.nu..sup.-r1r2) composed of said random number r.sub.2 and
said calculated z.sub.1.nu..sup.-r1r2; a third random number
generating part that generates a uniform random number d.sub.1 that
is an integer equal to or greater than 0 and smaller than K; a
fourth random number generating part that generates a uniform
random number r.sub.4 that is an integer equal to or greater than 0
and smaller than K.sub.G; a fifth random number generating part
that generates a uniform random number r.sub.5 that is an integer
equal to or greater than 0 and smaller than K.sub.H; a third input
information calculating part that calculates third input
information g.sub.2=.mu..sub.g.sup.r4g.sup.d1; a fourth input
information calculating part that calculates fourth input
information h.sub.2=.mu..sub.h.sup.r5; a second list information
calculating part that calculates z.sub.2.nu..sup.-r4r5 using
z.sub.2.epsilon.F received from said calculating apparatus; a
second list storage part that stores an information set (d.sub.1,
r.sub.5, z.sub.2.nu..sup.-r4r5) composed of said d.sub.1, said
r.sub.5 and said calculated z.sub.2.nu..sup.-r4r5; a first
determining part that determines whether or not the information set
read from said first list storage part and the information set read
from said second list storage part satisfy a relation (w.sub.1)
(t.sub.2s.sub.251.sup.-1)=w.sub.2, and substitutes s.sub.1 for
.sigma. and w.sub.1 for .nu.' in a case where the relation is
satisfied, where s.sub.1 and w.sub.1 are a first component and a
second component of the information set read from said first list
storage part, respectively, and t.sub.2, s.sub.2 and W.sub.2 are a
first component, a second component and a third component of the
information set read from said second list storage part,
respectively; a sixth random number generating part that generates
a uniform random number r.sub.6 that is an integer equal to or
greater than 0 and smaller than K.sub.G; a seventh random number
generating part that generates a uniform random number r.sub.7 that
is an integer equal to or greater than 0 and smaller than K.sub.H;
a fifth input information calculating part that calculates fifth
input information g.sub.3=g.sup.r6; a sixth input information
calculating part that calculates sixth input information
h.sub.3=.mu..sub.h.sup.r7.sigma.h; a third list information
calculating part that calculates z.sub.3.nu..sup.-r6r7 using
z.sub.3.epsilon.F received from said calculating apparatus; a third
list storage part that stores an information set (r.sub.6,
z.sub.3.nu..sup.-r6r7) composed of said r.sub.6 and said calculated
z.sub.3.nu..sup.-r6r7; an eighth random number generating part that
generates a uniform random number d.sub.2 that is an integer equal
to or greater than 0 and smaller than K; a ninth random number
generating part that generates a uniform random number r.sub.9 that
is an integer equal to or greater than 0 and smaller than K.sub.G;
a tenth random number generating part that generates a uniform
random number r.sub.10 that is an integer equal to or greater than
0 and smaller than K.sub.H; a seventh input information calculating
part that calculates seventh input information
g.sub.4=.mu..sub.g.sup.r9; an eighth input information calculating
part that calculates eighth input information
h.sub.4=.mu..sub.h.sup.r10.sigma.h.sup.d2; a fourth list
information calculating part that calculates
z.sub.4.nu.'.sup.-r9r10 using z.sub.4.epsilon.F received from said
calculating apparatus; a fourth list storage part that stores an
information set (d.sub.2, r.sub.9, z.sub.4.nu.'.sup.-r9r10)
composed of said d.sub.2, said r.sub.9 and said calculated
z.sub.4.nu.'.sup.-r9r10; and a second determining part that
determines whether or not the information set read from said third
list storage part and the information set read from said fourth
list storage part satisfy a relation (w.sub.3)
(t.sub.4s.sub.4s.sub.3.sup.-1)=w.sub.4, and outputs (w.sub.3)
(s.sub.3.sup.-1) in a case where the relation is satisfied, where
s.sub.3 and w.sub.3 are a first component and a second component of
the information set read from said third list storage part,
respectively, and t.sub.4, s.sub.4 and w.sub.4 are a first
component, a second component and a third component of the
information set read from said fourth list storage part,
respectively, and said calculating apparatus comprises: a first
output information calculating part that is capable of calculating
.theta.(g.sub.1, h.sub.1) using g.sub.1 and h.sub.1 received from
said requesting apparatus and outputs the calculation result as
said z.sub.1; a second output information calculating part that is
capable of calculating .theta.(g.sub.2, h.sub.2) using g.sub.2 and
h.sub.2 received from said requesting apparatus and outputs the
calculation result as said z.sub.2; a third output information
calculating part that is capable of calculating .theta.(g.sub.3,
h.sub.3) using g.sub.3 and h.sub.3 received from said requesting
apparatus and outputs the calculation result as said z.sub.3; and a
fourth output information calculating part that is capable of
calculating .theta.(g.sub.4, h.sub.4) using g.sub.4 and h.sub.4
received from said requesting apparatus and outputs the calculation
result as said z.sub.4, where G, H and F are cyclic groups, a map
.theta.: G.times.H.fwdarw.F is a bi-homomorphism, g is an element
of the group G, h is an element of the group H, K.sub.G is an order
of the group G, K.sub.H is an order of the group H, .mu..sub.g is a
generator of the group G, .mu..sub.h is a generator of the group H,
.nu.=.mu..sub.g, .mu..sub.g), k is a security parameter that is a
natural number, and K=2.sup.k.
9. The proxy calculation system according to claim 8, wherein said
first input information calculating part calculates first input
information g.sub.1=g.sub.r1, said fist list information
calculating part calculates r.sub.1r.sub.2 using said r.sub.1 and
said r.sub.2, and said first list storage part stores an
information set (r.sub.1r.sub.2, z.sub.1) composed of said
calculated r.sub.1r.sub.2 and z.sub.1.epsilon.F received from said
calculating apparatus.
10. The proxy calculation system according to claim 8 or 9, wherein
said sixth input information calculating part calculates sixth
input information h.sub.3=h.sup.r7, said third list information
calculating part calculates r.sub.6r.sub.7 using said r.sub.6 and
said r.sub.7, and said third list storage part stores an
information set (r.sub.6r.sub.7, z.sub.3) composed of said
calculated r.sub.6r.sub.7 and z.sub.3.epsilon.F received from said
calculating apparatus.
11. The proxy calculation system according to any one of claims 8
to 10, wherein said first determining part substitutes
t.sub.1s.sub.2 for .sigma. and w.sub.2 for .nu.' in a case where
said relation is satisfied, and said tenth random number generating
part calculates -r.sub.9.sup.-1 using said r.sub.9 and designates
the calculation result as r.sub.10.
12. The proxy calculation system according to claim 11, wherein
said seventh random number generating part calculates
-r.sub.6.sup.-1 using said r.sub.6 and designates the calculation
result as r.sub.7, and said third list storage part stores an
information set (1, z.sub.3.nu..sup.-r6r7) composed of 1 and said
calculated z.sub.3.nu.'.sup.-r6r7.
13. The proxy calculation system according to any one of claims 8
to 12, wherein said fourth random number generating part calculates
-r.sub.5.sup.-1 using said r.sub.5 and designates the calculation
result as r.sub.4.
14. The proxy calculation system according to any one of claims 8
to 13, further comprising: a pre-calculation part that calculates
g.sup.d1 using said d.sub.1, wherein said third input information
calculating part calculates said g.sub.2 using said previously
calculated g.sup.d1.
15. The proxy calculation system according to any one of claims 8
to 14, further comprising: a pre-calculation part that calculates
h.sup.d2 using said d.sub.2, wherein said eighth input information
calculating part calculates said h.sub.4 using said previously
calculated h.sup.d2.
16. A proxy calculation method of calculating .theta.(g, h) using a
result of a calculation performed by a calculating apparatus in
response to a request from a requesting apparatus, comprising: a
first random number generating step in which a first random number
generating part of said requesting apparatus generates a random
number r.sub.1 that is an integer equal to or greater than 0 and
smaller than K.sub.G; a second random number generating step in
which a second random number generating part of said requesting
apparatus generates a random number r.sub.2 that is an integer
equal to or greater than 0 and smaller than K.sub.H; a first input
information calculating step in which a first input information
calculating part of said requesting apparatus calculates first
input information g.sub.1=.mu..sub.g.sup.r1g; a second input
information calculating step in which a second input information
calculating part of said requesting apparatus calculates second
input information h.sub.1=.mu..sub.h.sup.r2; a first output
information calculating step in which a first output information
calculating part of said calculating apparatus capable of
calculating .theta.(g.sub.1, h.sub.1) using g.sub.1 and h.sub.1
received from said requesting apparatus outputs the calculation
result as said z.sub.1; a first list information calculating step
in which a first list information calculating part of said
requesting apparatus calculates z.sub.1.nu..sup.-r1r2 using
z.sub.1.epsilon.F received from said calculating apparatus; a step
in which a first list storage part of said requesting apparatus
stores an information set (r.sub.2, z.sub.1.nu..sup.-r1r2) composed
of said random number r.sub.2 and said calculated
z.sub.1.nu..sup.-r1r2; a third random number generating step in
which a third random number generating part of said requesting
apparatus generates a uniform random number d.sub.1 that is an
integer equal to or greater than 0 and smaller than K; a fourth
random number generating step in which a fourth random number
generating part of said requesting apparatus generates a uniform
random number r.sub.4 that is an integer equal to or greater than 0
and smaller than K.sub.G; a fifth random number generating step in
which a fifth random number generating part of said requesting
apparatus generates a uniform random number r.sub.5 that is an
integer equal to or greater than 0 and smaller than K.sub.H; a
third input information calculating step in which a third input
information calculating part of said requesting apparatus
calculates third input information
g.sub.2=.mu..sub.g.sup.r4g.sup.d1; a fourth input information
calculating step in which a fourth input information calculating
part of said requesting apparatus calculates fourth input
information h.sub.2=.mu..sub.h.sup.r5; a second output information
calculating step in which a second output information calculating
part of said calculating apparatus capable of calculating
.theta.(g.sub.2, h.sub.2) using g.sub.2 and h.sub.2 received from
said requesting apparatus outputs the calculation result as said
z.sub.2; a second list information calculating step in which a
second list information calculating part of said requesting
apparatus calculates z.sub.2.nu..sup.-r4r5 using z.sub.2.epsilon.F
received from said calculating apparatus; a step in which a second
list storage part of said requesting apparatus stores an
information set (d.sub.1, r.sub.5, z.sub.2.nu..sup.-r4r5) composed
of said d.sub.1, said r.sub.5 and said calculated
z.sub.2.nu..sup.-r4r5. a first determination step in which a first
determining part of said requesting apparatus determines whether or
not the information set read from said first list storage part and
the information set read from said second list storage part satisfy
a relation (w.sub.1) (t.sub.2s.sub.2s.sub.1.sup.-1)=w.sub.2, and
substitutes s.sub.1 for .sigma. and w.sub.1 for .nu.' in a case
where the relation is satisfied, where s.sub.1 and w.sub.1 are a
first component and a second component of the information set read
from said first list storage part, respectively, and t.sub.2,
s.sub.2 and w.sub.2 are a first component, a second component and a
third component of the information set read from said second list
storage part, respectively; a sixth random number generating step
in which a sixth random number generating part of said requesting
apparatus generates a uniform random number r.sub.6 that is an
integer equal to or greater than 0 and smaller than K.sub.G; a
seventh random number generating step in which a seventh random
number generating part of said requesting apparatus generates a
uniform random number r.sub.7 that is an integer equal to or
greater than 0 and smaller than K.sub.H; a fifth input information
calculating step in which a fifth input information calculating
part of said requesting apparatus calculates fifth input
information g.sub.3=g.sup.r6; a sixth input information calculating
step in which a sixth input information calculating part of said
requesting apparatus calculates sixth input information
h.sub.3=.mu..sub.h.sup.r7.sigma.h; a third output information
calculating step in which a third output information calculating
part of said calculating apparatus capable of calculating
.theta.(g.sub.3, h.sub.3) using g.sub.3 and h.sub.3 received from
said requesting apparatus outputs the calculation result as said
z.sub.3; a third list information calculating step in which a third
list information calculating part of said requesting apparatus
calculates z.sub.3.nu.'.sup.-r6r7 using z.sub.3.epsilon.F received
from said calculating apparatus; a step in which a third list
storage part of said requesting apparatus stores an information set
(r.sub.6, z.sub.3.nu.'.sup.-r6r7) composed of said r.sub.6 and said
calculated z.sub.3.nu..sup.-r6r7; an eighth random number
generating step in which an eighth random number generating part of
said requesting apparatus generates a uniform random number d.sub.2
that is an integer equal to or greater than 0 and smaller than K; a
ninth random number generating step in which a ninth random number
generating part of said requesting apparatus generates a uniform
random number r.sub.9 that is an integer equal to or greater than 0
and smaller than K.sub.G; a tenth random number generating step in
which a tenth random number generating part of said requesting
apparatus generates a uniform random number r.sub.10 that is an
integer equal to or greater than 0 and smaller than K.sub.H; a
seventh input information calculating step in which a seventh input
information calculating part of said requesting apparatus
calculates seventh input information g.sub.4=.mu..sub.g.sup.r9; an
eighth input information calculating step in which an eighth input
information calculating part of said requesting apparatus
calculates eighth input information
h.sub.4=.mu..sub.h.sup.r10.sigma.h.sup.d2; a fourth output
information calculating step in which a fourth output information
calculating part of said calculating apparatus capable of
calculating .theta.(g.sub.4, h.sub.4) using g.sub.4 and h.sub.4
received from said requesting apparatus outputs the calculation
result as said z.sub.4, a fourth list information calculating step
in which a fourth list information calculating part of said
requesting apparatus calculates z.sub.4.nu.'.sup.-r9r10 using
z.sub.4.epsilon.F received from said calculating apparatus; a step
in which a fourth list storage part of said requesting apparatus
stores an information set (d.sub.2, r.sub.9,
z.sub.4.nu.'.sup.-r9r10) composed of said d.sub.2, said r.sub.9 and
said calculated z.sub.4.nu.'.sup.-r9r10, and a second determination
step in which a second determining part of said requesting
apparatus determines whether or not the information set read from
said third list storage part and the information set read from said
fourth list storage part satisfy a relation (w.sub.3)
(t.sub.4s.sub.4s.sub.3.sup.-1)=w.sub.4, and outputs (w.sub.3)
(s.sub.3.sup.-1) in a case where the relation is satisfied, where
s.sub.3 and w.sub.3 are a first component and a second component of
the information set read from said third list storage part,
respectively, and t.sub.4, s.sub.4 and w.sub.4 are a first
component, a second component and a third component of the
information set read from said fourth list storage part,
respectively, where G, H and F are cyclic groups, a map .nu.:
G.times.H.fwdarw.F is a bi-homomorphism, g is an element of the
group G, h is an element of the group H, K.sub.G is an order of the
group G, K.sub.H is an order of the group H, .mu..sub.g is a
generator of the group G, .mu..sub.h is a generator of the group H,
.nu.=.theta.(.mu..sub.g, .mu..sub.g), k is a security parameter
that is an integer, and K=2.sup.k.
17. A requesting apparatus in a proxy calculation system that
calculates .theta.(g, h) using a result of a calculation performed
by a calculating apparatus in response to a request from the
requesting apparatus, comprising: a first random number generating
part that generates a random number r.sub.1 that is an integer
equal to or greater than 0 and smaller than K.sub.G; a second
random number generating part that generates a random number
r.sub.2 that is an integer equal to or greater than 0 and smaller
than K.sub.H; a first input information calculating part that
calculates first input information g.sub.1=.mu..sub.g.sup.r1g; a
second input information calculating part that calculates second
input information h.sub.1=.mu..sub.h.sup.r2; a first list
information calculating part that calculates z.sub.1.nu..sup.-r1r2
using z.sub.1.epsilon.F received from said calculating apparatus; a
first list storage part that stores an information set (r.sub.2,
z.sub.1.nu..sup.-r1r2) composed of said random number r.sub.2 and
said calculated z.sub.1.nu..sup.-r1r2; a third random number
generating part that generates a uniform random number d.sub.1 that
is an integer equal to or greater than 0 and smaller than K; a
fourth random number generating part that generates a uniform
random number r.sub.4 that is an integer equal to or greater than 0
and smaller than K.sub.G; a fifth random number generating part
that generates a uniform random number r.sub.5 that is an integer
equal to or greater than 0 and smaller than K.sub.H; a third input
information calculating part that calculates third input
information g.sub.2=.mu..sub.g.sup.r4g.sup.d1; a fourth input
information calculating part that calculates fourth input
information h.sub.2=.mu..sub.h.sup.r5; a second list information
calculating part that calculates z.sub.2.nu..sup.-r4r5 using
z.sub.2.epsilon.F received from said calculating apparatus; a
second list storage part that stores an information set (d.sub.1,
r.sub.5, z.sub.2.nu..sup.-r4r5) composed of said d.sub.1, said
r.sub.5 and said calculated z.sub.2.nu..sup.-r4r5; a first
determining part that determines whether or not the information set
read from said first list storage part and the information set read
from said second list storage part satisfy a relation (w.sub.1)
(t.sub.2s.sub.2s.sub.1.sup.-1)=w.sub.2, and substitutes s.sub.1 for
.sigma. and w.sub.1 for .nu.' in a case where the relation is
satisfied, where s.sub.1 and w.sub.1 are a first component and a
second component of the information set read from said first list
storage part, respectively, and t.sub.2, s.sub.2 and w.sub.2 are a
first component, a second component and a third component of the
information set read from said second list storage part,
respectively; a sixth random number generating part that generates
a uniform random number r.sub.6 that is an integer equal to or
greater than 0 and smaller than K.sub.G; a seventh random number
generating part that generates a uniform random number r.sub.7 that
is an integer equal to or greater than 0 and smaller than K.sub.H;
a fifth input information calculating part that calculates fifth
input information g.sub.3=g.sup.r6; a sixth input information
calculating part that calculates sixth input information
h.sub.3=.mu..sub.h.sup.r7.sigma.h; a third list information
calculating part that calculates z.sub.3.nu..sup.-r6r7 using
z.sub.3.epsilon.F received from said calculating apparatus; a third
list storage part that stores an information set (r.sub.6,
z.sub.3.nu.'.sup.-r6r7) composed of said r.sub.6 and said
calculated z.sub.3.nu.'.sup.-r6r7; an eighth random number
generating part that generates a uniform random number d.sub.2 that
is an integer equal to or greater than 0 and smaller than K; a
ninth random number generating part that generates a uniform random
number r.sub.9 that is an integer equal to or greater than 0 and
smaller than K.sub.G; a tenth random number generating part that
generates a uniform random number r.sub.10 that is an integer equal
to or greater than 0 and smaller than K.sub.H; a seventh input
information calculating part that calculates seventh input
information g.sub.4=.mu..sub.g.sup.r9; an eighth input information
calculating part that calculates eighth input information
h.sub.4=.mu..sub.h.sup.r10.sigma.h.sup.d2; a fourth list
information calculating part that calculates
z.sub.4.nu.'.sup.-r9r10 using z.sub.4.epsilon.F received from said
calculating apparatus; a fourth list storage part that stores an
information set (d.sub.2, r.sub.9, z.sub.4.nu.'.sup.-r9r10)
composed of said d.sub.2, said r.sub.9 and said calculated
z.sub.4.nu.'.sup.-r9r10; and a second determining part that
determines whether or not the information set read from said third
list storage part and the information set read from said fourth
list storage part satisfy a relation (w.sub.3)
(t.sub.4s.sub.4s.sub.3.sup.-1)=w.sub.4, and outputs (w.sub.3)
(s.sub.3.sup.-1) in a case where the relation is satisfied, where
s.sub.3 and w.sub.3 are a first component and a second component of
the information set read from said third list storage part,
respectively, and t.sub.4, s.sub.4 and w.sub.4 are a first
component, a second component and a third component of the
information set read from said fourth list storage part,
respectively, where G, H and F are cyclic groups, a map .theta.:
G.times.H.fwdarw.F is a bi-homomorphism, g is an element of the
group G, h is an element of the group H, K.sub.G is an order of the
group G, K.sub.H is an order of the group H, .mu..sub.g is a
generator of the group G, .mu..sub.h is a generator of the group H,
.nu.=.theta.(.mu..sub.g, .mu..sub.g), k is a security parameter
that is a natural number, and K=2.sup.k.
18. A program that makes a computer function as each part of a
requesting apparatus according to claim 7 or 17.
19. A computer-readable recording medium in which the program
according to claim 18 is recorded.
Description
TECHNICAL FIELD
[0001] The present invention relates to a calculation technique by
means of a computer. In particular, it relates to a technique of
performing a calculation using the result of a calculation
performed by another calculator.
BACKGROUND ART
[0002] An art for a requesting apparatus to request a calculating
apparatus that does not always make a correct calculation to
perform a calculation and calculate a function f using the result
of the calculation is described in Non-patent literature 1. The
self-corrector described in Non-patent literature 1 calculates the
function f by requesting the calculating apparatus to perform the
calculation a plurality of times and adopting the calculation
result by majority decision (see Non-patent literature 1, for
example).
PRIOR ART LITERATURE
[0003] Non-Patent Literature [0004] Non-patent literature 1: M.
Blum, M. Luby, and R. Rubinfeld, "Self-Testing/Correcting with
Applications to Numerical Problems", STOC 1990, pp. 73-83.
DISCLOSURE OF THE INVENTION
Problems to be Solved by the Invention
[0005] However, in order for the self-corrector described in
Non-patent literature 1 to properly operate, the calculating
apparatus has to make a correct calculation with a probability
equal to or higher than a certain level. There is a problem in that
there is no known art of calculating a function f with a
calculating apparatus that makes a correct calculation with a low
probability.
Means to Solve the Problems
[0006] A proxy calculation system according to a first aspect of
the present invention comprises: an integer calculation part that
calculates integers a' and b' that satisfy a relation a'a+b'b=1
using two natural numbers a and b that are relatively prime; a
first randomizable sampler that is capable of calculating
f(x).sup.bx.sub.1 and designates the calculation result as u; a
first exponentiation part that calculates u'=u.sup.a; a second
randomizable sampler that is capable of calculating
f(x).sup.ax.sub.2 and designates the calculation result as v; a
second exponentiation part that calculates v'=v.sup.b; a
determining part that determines whether u'=v' or not; and a final
calculation part that calculates u.sup.b'v.sup.a' in a case where
it is determined that u'=v', where G and H are cyclic groups, f is
a function that maps an element x of the group H into the group G,
X.sub.1 and X.sub.2 are random variables whose values are elements
of the group G, x.sub.1 is a realized value of the random variable
X.sub.1, and x.sub.2 is a realized value of the random variable
X.sub.2.
[0007] In a proxy calculation system according to a second aspect
of the present invention, a requesting apparatus comprises: a first
random number generating part that generates a random number
r.sub.1 that is an integer equal to or greater than 0 and smaller
than K.sub.G; a second random number generating part that generates
a random number r.sub.2 that is an integer equal to or greater than
0 and smaller than K.sub.H; a first input information calculating
part that calculates first input information
g.sub.1=.mu..sub.g.sup.r1g; a second input information calculating
part that calculates second input information
h.sub.1=.mu..sub.h.sup.r2; a first list information calculating
part that calculates z.sub.1.nu..sup.-r1r2 using z.sub.1.epsilon.F
received from a calculating apparatus; a first list storage part
that stores an information set (r.sub.2, z.sub.1.nu..sup.-r1r2)
composed of the random number r.sub.2 and the calculated
z.sub.1.nu..sup.-r1r2; a third random number generating part that
generates a uniform random number d.sub.1 that is an integer equal
to or greater than 0 and smaller than K; a fourth random number
generating part that generates a uniform random number r.sub.4 that
is an integer equal to or greater than 0 and smaller than K.sub.G;
a fifth random number generating part that generates a uniform
random number r.sub.5 that is an integer equal to or greater than 0
and smaller than K.sub.H; a third input information calculating
part that calculates third input information
g.sub.2=.mu..sub.g.sup.r4g.sup.d1; a fourth input information
calculating part that calculates fourth input information
h.sub.2=.mu..sub.h.sup.r5; a second list information calculating
part that calculates z.sub.2.nu..sup.-r4r5 using z.sub.2.epsilon.F
received from the calculating apparatus; a second list storage part
that stores an information set (d.sub.1, r.sub.5,
z.sub.2.nu..sup.-r4r5) composed of d.sub.1, r.sub.5 and the
calculated z.sub.2.nu..sup.-r4r5; a first determining part that
determines whether or not the information set read from the first
list storage part and the information set read from the second list
storage part satisfy a relation (w.sub.1)
(t.sub.2s.sub.2s.sub.1.sup.-1)=w.sub.2, and substitutes s.sub.1 for
a and w.sub.1 for .nu.' in a case where the relation is satisfied,
where s.sub.1 and w.sub.1 are a first component and a second
component of the information set read from the first list storage
part, respectively, and t.sub.2, s.sub.2 and w.sub.2 are a first
component, a second component and a third component of the
information set read from the second list storage part,
respectively; a sixth random number generating part that generates
a uniform random number r.sub.6 that is an integer equal to or
greater than 0 and smaller than K.sub.G; a seventh random number
generating part that generates a uniform random number r.sub.7 that
is an integer equal to or greater than 0 and smaller than K.sub.H;
a fifth input information calculating part that calculates fifth
input information g.sub.3=g.sup.r6; a sixth input information
calculating part that calculates sixth input information
h.sub.3=.mu..sub.h.sup.r7.sigma.h; a third list information
calculating part that calculates z.sub.3.nu.'.sup.-r6r7 using
z.sub.3.epsilon.F received from the calculating apparatus; a third
list storage part that stores an information set (r.sub.6,
z.sub.3.nu.'.sup.-r6r7) composed of r.sub.6 and the calculated
z.sub.3.nu.'.sup.-r6r7; an eighth random number generating part
that generates a uniform random number d.sub.2 that is an integer
equal to or greater than 0 and smaller than K; a ninth random
number generating part that generates a uniform random number
r.sub.9 that is an integer equal to or greater than 0 and smaller
than K.sub.G; a tenth random number generating part that generates
a uniform random number r.sub.10, that is an integer equal to or
greater than 0 and smaller than K.sub.H; a seventh input
information calculating part that calculates seventh input
information g.sub.4=.mu..sub.g.sup.r9; an eighth input information
calculating part that calculates eighth input information
h.sub.4=.mu..sub.h.sup.r10.sigma.h.sup.d2; a fourth list
information calculating part that calculates
z.sub.4.nu.'.sup.-r9r10 using z.sub.4.epsilon.F received from the
calculating apparatus; a fourth list storage part that stores an
information set (d.sub.2, r.sub.9, z.sub.4.nu.'.sup.-r9r10)
composed of d.sub.2, r.sub.9 and the calculated
z.sub.4.nu.'.sup.-r9r10; and a second determining part that
determines whether or not the information set read from the third
list storage part and the information set read from the fourth list
storage part satisfy a relation (w.sub.3)
(t.sub.4s.sub.4s.sub.3.sup.-1)=w.sub.4, and outputs (w.sub.3)
(s.sub.3.sup.-1) in a case where the relation is satisfied, where
s.sub.3 and w.sub.3 are a first component and a second component of
the information set read from the third list storage part,
respectively, and t.sub.4, s.sub.4 and w.sub.4 are a first
component, a second component and a third component of the
information set read from the fourth list storage part,
respectively, where G; H and F are cyclic groups, a map .theta.:
G.times.H.fwdarw.F is a bi-homomorphism, g is an element of the
group G, h is an element of the group H, K.sub.G is an order of the
group G, K.sub.H is an order of the group H, .mu..sub.g is a
generator of the group G, .mu..sub.h is a generator of the group H,
.nu.=.theta.(.mu..sub.g, .mu..sub.g), k is a security parameter
that is a natural number, and K=2.sup.k. The calculating apparatus
comprises: a first output information calculating part that is
capable of calculating .theta.(g.sub.1, h.sub.1) using g.sub.1 and
h.sub.1 received from the requesting apparatus and outputs the
calculation result as z.sub.1; a second output information
calculating part that is capable of calculating .theta.(g.sub.2,
h.sub.2) using g.sub.2 and h.sub.2 received from the requesting
apparatus and outputs the calculation result as z.sub.2; a third
output information calculating part that is capable of calculating
.theta.(g.sub.3, h.sub.3) using g.sub.3 and h.sub.3 received from
the requesting apparatus and outputs the calculation result as
z.sub.3; and a fourth output information calculating part that is
capable of calculating .theta.(g.sub.4, h.sub.4) using g.sub.4 and
h.sub.4 received from the requesting apparatus and outputs the
calculation result as z.sub.4.
Effects of the Invention
[0008] A calculating apparatus that makes a correct calculation
with a low probability can be used to calculate a function f.
BRIEF DESCRIPTION OF THE DRAWINGS
[0009] FIG. 1 is a functional block diagram showing an example of a
proxy calculation system according to first to third
embodiments;
[0010] FIG. 2 is a functional block diagram showing an example of a
requesting apparatus and a calculating apparatus according to the
first to third embodiments;
[0011] FIG. 3 is a functional block diagram showing an example of a
sampler according to the first to third embodiments;
[0012] FIG. 4 is a functional block diagram showing an example of a
first randomizable sampler and a second randomizable sampler
according to the first to third embodiments;
[0013] FIG. 5 is a functional block diagram showing another example
of the first randomizable sampler and the second randomizable
sampler according to the first to third embodiments;
[0014] FIG. 6 is a flowchart showing an example of a proxy
calculation method according to the first to third embodiments;
[0015] FIG. 7 is a flowchart showing an example of Step S3;
[0016] FIG. 8 is a flowchart showing an example of Step S6;
[0017] FIG. 9 is a flowchart showing another example of Step
S3;
[0018] FIG. 10 is a flowchart showing another example of Step
S6;
[0019] FIG. 11 is a functional block diagram showing an example of
a proxy calculation system according to fourth to tenth
embodiments;
[0020] FIG. 12 is a functional block diagram showing an example of
a requesting apparatus according to the fourth to tenth
embodiments;
[0021] FIG. 13 is a functional block diagram showing an example of
the requesting apparatus according to the fourth to tenth
embodiments;
[0022] FIG. 14 is a functional block diagram showing an example of
a calculating apparatus according to the fourth to tenth
embodiments;
[0023] FIG. 15 is a flowchart showing an example of a proxy
calculation method according to the fourth to tenth
embodiments;
[0024] FIG. 16 is a flowchart showing the example of the proxy
calculation method according to the fourth to tenth embodiments;
and
[0025] FIG. 17 is a functional block diagram showing a modification
of the proxy calculation system.
DETAILED DESCRIPTION OF THE EMBODIMENTS
[0026] In the following, proxy calculation systems and proxy
calculation methods according to embodiments of the present
invention will be described in detail.
[0027] According to a first and a second embodiment, a function
f(x) is calculated using the result of a calculation performed by a
calculating apparatus 2 in response to a request from a requesting
apparatus 1.
First Embodiment
[0028] A proxy calculation system according to the first embodiment
comprises the requesting apparatus 1 and the calculating apparatus
2 as illustrated in FIG. 1, and calculates the function f(x) using
the result of a calculation performed by the calculating apparatus
2 in response to a request from the requesting apparatus 1.
[0029] As shown in FIG. 2, the requesting apparatus 1 comprises a
natural number storage part 11, an integer calculation part 12, a
first exponentiation part 13, a first list storage part 14, a
determining part 15, a second exponentiation part 16, a second list
storage part 17, a control part 18, and a final calculation part
19, for example. The calculating apparatus 2 comprises a first
randomizable sampler 21 and a second randomizable sampler 22, for
example. According to the first embodiment, the first randomizable
sampler 21 and the second randomizable sampler 22 correspond to the
calculating apparatus 2.
[0030] It is supposed that G and H denote cyclic groups, the
function f: H.fwdarw.G is a function that maps an element x of the
group H into the group G; .mu..sub.g and .mu..sub.h denote the
generators of the groups G and H, respectively, X.sub.1 and X.sub.2
denote random variables whose values are elements of the group G,
x.sub.1 denotes a realized value of the random variable X.sub.1,
and x.sub.2 denotes a realized value of the random variable
X.sub.2.
[0031] It is assumed that the natural number storage part 11 stores
a plurality of pairs (a, b) of natural numbers a and b that are
relatively prime. Provided that I denotes a set of pairs of
relatively prime natural numbers smaller than the order of the
group G, it can be considered that the natural number storage part
11 stores sets (a, b) of natural numbers a and b that correspond to
a subset S of the set I.
[0032] The integer calculation part 12 randomly reads in one set
(a, b) of natural numbers from the plurality of sets (a, b) of
natural numbers stored in the natural number storage part 11, and
calculates integers a' and b' that satisfy a relation a'a+b'b=1
using the read-in set (a, b) of natural numbers (Step S1). Since
the natural numbers a and b are relatively prime, the integers a'
and b' that satisfy the relation a'a+b'b=1 exist without fail.
Information on the set (a, b) of natural numbers is transmitted to
the first exponentiation part 13, the second exponentiation part
16, the first randomizable sampler 21 and the second randomizable
sampler 22. Information on the set (a', b') of integers is
transmitted to the final calculation part 19.
[0033] The control part 18 assumes that t=1 (Step S2).
[0034] The first randomizable sampler 21 is capable of calculating
f(x).sup.bx.sub.1 and performs the calculation using x and b, and
the calculation result is denoted by u (Step S3). The calculation
result u is transmitted to the first exponentiation part 13.
[0035] In this application, the expression "be capable of
calculating" means that a calculation is possible with a
probability equal to or higher than a non-negligible probability.
The expression "non-negligible probability" means a probability
equal to or higher than 1/F(k), where F(k) denotes a polynomial
that is a monotone function of a security parameter k in a broad
sense.
[0036] To calculate f(x).sup.bx.sub.1 means to calculate the value
of the formula defined as f(x).sup.bx.sub.1. Any calculation
process can be used as far as the value of the formula
f(x).sup.bx.sub.1 can be finally calculated. The same holds true
for calculation of any other formulas found in this
application.
[0037] The first exponentiation part 13 calculates u'=u.sup.a (Step
S4). The set (u, u') of the calculation result u and u' calculated
based on the calculation result is stored in the first list storage
part 14.
[0038] The determining part 15 determines whether or not there are
values u' and v' that satisfy a relation u'=v' in the sets (u, u')
stored in the first list storage part 14 and sets (v, v') stored in
the second list storage part 17 (Step S5). If the second list
storage part 17 stores no set (v, v'), the processing of Step S5 is
omitted, and the process proceeds to the processing of the
following Step S6. If there are values that satisfy the relation
u'=v', the process proceeds to Step S12. If there are no values
that satisfy the relation u'=v', the process proceeds to Step
S6.
[0039] The second randomizable sampler 22 is capable of calculating
f(x).sup.ax.sub.2 and performs the calculation using x and a, and
the calculation result is denoted by v (Step S6). The calculation
result v is transmitted to the second exponentiation part 16.
[0040] The second exponentiation part 16 calculates v'=v.sup.b
(Step S7). The set (v, v') of the calculation result v and v'
calculated based on the calculation result is stored in the second
list storage part 17.
[0041] The determining part 15 determines whether or not there are
values u' and v' that satisfy the relation u'=v' in the sets (u,
u') stored in the first list storage part 14 and the sets (v, v')
stored in the second list storage part 17 (Step S8). If there are
values that satisfy the relation u'=v', the process proceeds to
Step 12. If there are no values that satisfy the relation u'=v',
the process proceeds to Step S9.
[0042] The control part 18 determines whether or not t=T (Step S9).
T denotes a predetermined natural number. If t=T, information that
the calculation is impossible, such as a symbol ".perp.", is output
(Step S11), and the process ends. If t.noteq.T, the control part 18
increments t by 1 (t=t+1) (Step S10), and the process returns to
Step S3.
[0043] The information that the calculation is impossible (the
symbol ".perp." in this example) means that the calculation
reliability of the calculating apparatus 2 is lower than a
reference determined by T. In other words, it means that the T
repeated calculations have failed.
[0044] When it is determined that there are values u' and v' that
satisfy the relation u'=v', the final calculation part 19
calculates u.sup.b' and v.sup.a' using u and v corresponding to the
values u' and v' and outputs the values u.sup.b' and v.sup.a' (step
S12). The calculated u.sup.b' and v.sup.a' satisfy a relation
u.sup.b'v.sup.a'=f(x). A reason why the relation
u.sup.b'v.sup.a'=f(x) holds will be described below.
[0045] <<Reason why u.sup.b'v.sup.a'=f(x) Holds>>
[0046] It is assumed that X denotes a random variable whose value
is an element of the group G. An entity in a calculating apparatus
that extracts a sample x' according to a random variable R and
transmits back wx' where w.epsilon.G in response to each request is
referred to as a sampler with an error X for an element w.
[0047] An entity in a calculating apparatus that extracts a sample
x' according to a random variable X and transmits back wax'x' where
w.epsilon.G in response to each input of a natural number a is
referred to as a randomizable sampler with an error X for an
element w. The randomizable sample used on the assumption that a=1
serves as a sampler.
[0048] Configured to receive x and output f(x), the proxy
calculation system according to this embodiment uses the first
randomizable sampler 21 with an error X.sub.1 for f(x) and the
second randomizable sampler 22 with an error X.sub.2 for f(x).
[0049] The inventor has found that the relation u'=v', that is, the
relation u.sup.a=v.sup.b is highly likely to hold when the first
randomizable sampler 21 correctly calculates u=f(x).sup.bx.sub.1,
the second randomizable sampler 22 correctly calculates
v=f(x).sup.ax.sub.2, and x.sub.1 and x.sub.2 are unit elements
e.sub.g of the group G. The proof is omitted herein.
[0050] When the first randomizable sampler 21 correctly calculates
u=f(x).sup.bx.sub.1, the second randomizable sampler 22 correctly
calculates v=f(x).sup.ax.sub.2, and x.sub.1 and x.sub.2 are unit
elements e.sub.g of the group G, the following relation holds:
u.sup.b'v.sup.a'=(f(x).sup.bx.sub.1).sup.b'(f(x).sup.be.sub.g).sup.b'=(f-
(x).sup.be.sub.g).sup.b'(f(x).sup.ae.sub.g).sup.a'=f(x).sup.bb'e.sub.g.sup-
.b'f(x).sup.aa'e.sub.g.sup.a'=f(x).sup.(bb'+aa')=f(x).
[0051] A function .pi..sub.i for each i (=1, 2) is defined as
.pi..sub.i(q.sub.1, q.sub.2)=q.sub.h, where (q1, q2).epsilon.I.
Besides, it is assumed that L=min(#.pi..sub.1(S), #.pi..sub.2(S)).
The symbol #.cndot. denotes the order of a group .cndot.. When the
group G is a cyclic group, or the order of the group G is difficult
to calculate, the probability of the output of the proxy
calculation system described above not being f(x) when the output
is not the symbol ".perp." is expected to be of the order, at the
most, of T.sup.2L/#S with a negligible error. If L/#S is
negligible, and T is of the order of the polynomial order, the
proxy calculation system outputs f(x) with an overwhelmingly high
probability.
[0052] An example of the value of S that makes L/#S negligible is
S={(1, d)|d.epsilon.[2, |G|-1]}.
[0053] As shown by a dashed line in FIG. 2, the calculating
apparatus 2 may further comprises a sampler 23. The sampler 23 is
capable of calculating f(x)x.sub.3, where X.sub.3 is a random
variable whose value is an element of the group G, and x.sub.3
denotes a realized value of the random variable X.sub.3, and
performs the calculation instead of the second randomizable sampler
22 and designates the calculation result as v described above when
a=1, and performs the calculation instead of the first randomizable
sampler 21 and designates the calculation result as u described
above when b=1.
[0054] In general, the calculation amount of the sampler is smaller
than that of the randomizable sampler. If a=1, and b=1, the
calculation amount of the calculating apparatus 2 can be reduced by
using the sampler 23 for calculation instead of the first
randomizable sampler 21 and the second randomizable sampler 22.
Second Embodiment
[0055] The second embodiment relates to another specific example of
the first randomizable sampler 21 and the second randomizable
sampler 22 of the proxy calculation system, or in other words,
another specific example of Steps S3 and S6. The following
description will be mainly focused on differences from the first
embodiment, and redundant description of common things will be
omitted.
[0056] As shown in FIG. 3, the first randomizable sampler 21
according to the second embodiment comprises a first random number
generating part 110, a first input information calculating part
111, a first output information calculating part 24, and a first
calculating part 112, for example. As shown in FIG. 3, the second
randomizable sampler 22 according to the second embodiment
comprises a second random number generating part 113, a second
input information calculating part 114, a second output information
calculating part 25, and a second calculating part 115, for
example.
[0057] According to the second embodiment, the first random number
generating part 110, the first input information calculating part
111, the first calculating part 112, the second random number
generating part 113, the second input information calculating part
114 and the second calculating part 115 are included in the
requesting apparatus 1. The first output information calculating
part 24 and the second output information calculating part 25 are
included in the calculating apparatus 2. According to the second
embodiment, the first output information calculating part 24 and
the second output information calculating part 25 correspond to the
calculating apparatus 2.
[0058] According to the second embodiment, the function f is a
homomorphism. The generator of the group H is denoted by
.mu..sub.h, the order of the group H is denoted by K.sub.H, and
.nu.=f(.mu..sub.h).
[0059] Step S3 is composed of Steps S31 to S34 illustrated in FIG.
7.
[0060] The first random number generating part 110 generates a
uniform random number r.sub.1 that is an integer equal to or
greater than 0 and smaller than K.sub.H (Step S31). The generated
random number r.sub.1 is transmitted to the first input information
calculating part 111.
[0061] The first input information calculating part 111 calculates
first input information .mu..sub.h.sup.r1x.sup.b (Step S32). The
calculated first input information .mu..sub.h.sup.r1x.sup.b is
transmitted to the first output information calculating part
24.
[0062] The first output information calculating part 24 performs a
calculation using the first input information
.mu..sub.h.sup.r1x.sup.b and designates the calculation result as
first output information, z.sub.1 (Step S33). The calculated first
output information z.sub.1 is transmitted to the first calculating
part 112.
[0063] The first output information calculating part 24 is capable
of calculating f(.mu..sub.h.sup.r1x.sup.b). The result of the
calculation performed by the first output information calculating
part 24 may be or may not be f(.mu..sub.h.sup.r1x.sup.b).
[0064] The superscript "r.sub.1" of .mu..sub.h means r.sub.1. In
this way, in this application, in an expression
.alpha..sup..beta..gamma. where a denotes a first character, .beta.
denotes a second character and .gamma. denotes a numeral,
.beta..gamma. means .beta..sub..gamma., that is, .gamma. is a
subscript of .beta..
[0065] The first calculating part 112 calculates
z.sub.1.nu..sup.-r1 and designates the calculation result as u
(Step S34). The calculation result u is transmitted to the first
exponentiation part 13. Note that
u=z.sub.1.nu..sup.-r1=f(x).sup.bx.sub.1. That is,
z.sub.1.nu..sup.-r1 is a randomizable sampler with an error X.sub.1
for f(x). A reason therefor will be described later.
[0066] Step S6 is composed of Steps S61 to S64 illustrated in FIG.
8.
[0067] The second random number generating part 113 generates a
uniform random number r.sub.2 that is an integer equal to or
greater than 0 and smaller than K.sub.H (Step S61). The generated
random number r.sub.2 is transmitted to the second input
information calculating part 114.
[0068] The second input information calculating part 114 calculates
second input information .mu..sub.h.sup.r2x.sup.a (Step S62). The
calculated second input information .mu..sub.h.sup.r2x.sup.a is
transmitted to the second output information calculating part
25.
[0069] The second output information calculating part 25 performs a
calculation using the second input information
.mu..sub.h.sup.r2x.sup.a and designates the calculation result as
second output information z.sub.2 (Step S63). The calculated second
output information z.sub.2 is transmitted to the second calculating
part 115.
[0070] The second output information calculating part 25 is capable
of calculating f(.mu..sub.h.sup.r2x.sup.a). The result of the
calculation performed by the second output information calculating
part 25 may be or may not be f(.mu..sub.h.sup.r2x.sup.a).
[0071] The second calculating part 115 calculates
z.sub.2.nu..sup.-r2 and designates the calculation result as v
(Step S64). The calculation result v is transmitted to the second
exponentiation part 16. Note that
v=z.sub.2|.sup.-r2=f(x).sup.ax.sub.2. That is, z.sub.2.nu..sup.-r2
is a randomizable sampler with an error X.sub.2 for f(x). A reason
therefor will be described later.
[0072] In the second embodiment, if a=1, and b=1, the calculation
amount can be reduced by using the sampler 23 for calculation of
the value of u or v instead of the first randomizable sampler 21
and the second randomizable sampler 22.
[0073] As shown in FIG. 4, the sampler 23 according to the second
embodiment comprises a third random number generating part 116, a
third input information calculating part 117, a third output
information calculating part 26 and a third calculating part 118,
for example. The third random number generating part 116, the third
input information calculating part 117 and the third calculating
part 118 are included in the requesting apparatus 1. The third
output information calculating part 26 is included in the
calculating apparatus 2.
[0074] When a=1, and b=1, the sampler 23 performs the following
processings instead of the first randomizable sampler 21 and the
second randomizable sampler 22.
[0075] The third random number generating part 116 generates a
random number r.sub.3 that is an integer equal to or greater than 0
and smaller than K.sub.H. The generated random number r.sub.3 is
transmitted to the third input information calculating part
117.
[0076] The third input information calculating part 117 calculates
third input information x.sup.r3. The calculated third input
information x.sup.r3 is transmitted to the third output information
calculating part 26.
[0077] The third output information calculating part 26 performs a
calculation using the third input information xr.sup.3 and
designates the calculation result as third output information
z.sub.3. The calculated third output information z.sub.3 is
transmitted to the third calculating part 118.
[0078] The third output information calculating part 26 is capable
of calculating f(x.sup.r3). The result of the calculation performed
by the third output information calculating part 26 may be or may
not be f(x.sup.r3).
[0079] The third calculating part 118 calculates z.sub.3.sup.143
and designates the calculation result as v when a=1 or as u when
b=1. The calculation result v is transmitted to the second
exponentiation part 16. The calculation result u is transmitted to
the first exponentiation part 13. Note that
u=v=z.sub.3.sup.1/r3=f(x)x.sub.3. That is, z.sub.3.sup.1/r3 is a
sampler with an error X.sub.3 for f(x). A reason therefor will be
described later.
[0080] When it is difficult to calculate z.sub.3.sup.1/r3, that is,
a root of z.sub.3, u and/or v can be calculated in the following
manner. The third calculating part 118 stores in a storage part
(not shown) a sequence of sets (.alpha..sub.1, .beta..sub.1),
(.alpha..sub.2, .beta..sub.2), . . . , (.alpha..sub.m,
.beta..sub.m) of the random numbers r.sub.3 and the values z.sub.3
calculated based on the random numbers r.sub.3, where m denotes a
natural number. When the least common multiple of .alpha..sub.1,
.alpha..sub.2, . . . , .alpha..sub.m is 1, the third calculating
part 118 can calculate .gamma..sub.1, .gamma..sub.2, . . . and
.gamma..sub.m that satisfy a relation
.gamma..sub.1.alpha..sub.1+.gamma..sub.2.alpha..sub.2+ . . .
+.gamma..sub.m.alpha..sub.m=1, where .gamma..sub.1, .gamma..sub.2,
. . . and .gamma..sub.m denote integers, calculate
.PI..sub.i=1.sup.m.beta..sub.i.sup..gamma.i=.beta..sub.1.sup..gamma.1.bet-
a..sub.2.sup..gamma.2 . . . .beta..sub.m.sup..gamma.m, and
designate the calculation result as u and/or v.
[0081] Since information on x scrambled with the random numbers
r.sub.1, r.sub.2 and r.sub.3 in this way is transmitted to the
calculating apparatus 2, the value x.epsilon.H that is the target
of the calculation of the value of the function f can be concealed
from the calculating apparatus 2 and a third party intercepting the
communication between the requesting apparatus 1 and the
calculating apparatus 2.
[0082] <<Reason why z.sub.1.nu..sup.-r1 and
z.sub.2.nu..sup.-r2 are Randomizable Samplers with Errors X.sub.1
and X.sub.2 for f(x), Respectively>>
[0083] It is supposed that c denotes a natural number, R and R'
denote random numbers, the result of the calculation performed by
the calculating apparatus 2 using .mu..sub.h.sup.Rx.sup.c is
denoted as B(.mu..sub.h.sup.Rx.sup.c that is,
z=B(.mu..sub.h.sup.Rx.sup.c) provided that z is the calculation
result returned to the requesting apparatus 1 from the calculating
apparatus 2), and the random variable X whose value is an element
of the group G is defined as
X=B(.mu..sub.h.sup.R')f(.mu..sub.h.sup.R').sup.-1.
[0084] Then,
z.nu..sup.-R=B(.mu..sub.h.sup.Rx.sup.c)f(.mu..sub.h).sup.-R=Xf(.mu..sub.h-
.sup.Rx.sup.c)f(.mu..sub.h).sup.-R=Xf(.mu..sub.h).sup.Rf(.mu..sub.h).sup.--
R=f(x).sup.cX. That is, z.nu..sup.-R is a randomizable sampler with
an error X for f(x).
[0085] In development of the formula described above, properties
are used that
X=B(.mu..sub.h.sup.R')f(.mu..sub.h.sup.R').sup.-1=B(.mu..sub.h.sup.R-
x.sup.c).sup.-1 and
B(.mu..sub.h.sup.Rx.sup.c)=xf(.mu..sub.h.sup.Rx.sup.c). These
properties are based on the facts that the function f is a
homomorphism, and R and R' are random numbers.
[0086] Therefore, taking into consideration the facts that a and b
are natural numbers, and r.sub.1 and r.sub.2 are random numbers,
z.sub.1.nu..sup.-r1 and z.sub.2.nu..sup.-r2 are randomizable
samplers with errors X.sub.1 and X.sub.2 for f(x),
respectively.
[0087] <<Reason why z.sub.3.sup.1/r3 is Sampler With Error
X.sub.3 for f(x)>>
[0088] It is supposed that R and R' denote random numbers, the
result of the calculation performed by the calculating apparatus 2
using x.sup.R is denoted as B(x.sup.R) (that is, z=B(x.sup.R)
provided that z is the calculation result returned to the
requesting apparatus 1 from the calculating apparatus 2), and the
random variable X whose value is an element of the group G is
defined as X=B(x.sup.R).sup.1/Rf(x).sup.-1.
[0089] Then, z.sup.1/R=B(x.sup.R).sup.1/R=Xf(x)=f(x)X. That is,
z.sup.1/R is a sampler with an error X for f(x).
[0090] In development of the formula described above, properties
are used that X=B(x.sup.R).sup.1/Rf(x.sup.R).sup.-1 and
B(x.sup.R).sup.1/R=Xf(x.sup.R). These properties are based on the
fact that R and R' are random numbers.
[0091] Therefore, taking into consideration the fact that r.sub.3
is a random number, Z.sup.1/R is a randomizable sampler with an
error X.sub.3 for f(x).
Third Embodiment
[0092] A third embodiment relates to another specific example of
the first randomizable sampler 21 and the second randomizable
sampler 22 of the proxy calculation system, or in other words,
another specific example of Steps S3 and S6. More specifically, it
relates to a specific example of the first randomizable sampler 21
and the second randomizable sampler 22 in a case where H=G.times.G
and the function f is a decryption function for an ElGamal
encryption, that is, f(c.sub.1, c.sub.2)=c.sub.1c.sub.2.sup.-s for
a secret key s and a cipher text (c.sub.1, c.sub.2). The following
description will be mainly focused on differences from the first
embodiment, and redundant description of common things will be
omitted.
[0093] As shown in FIG. 5, the first randomizable sampler 21
according to the third embodiment comprises a fourth random number
generating part 119, a fifth random number generating part 120, a
fourth input information calculating part 121, a fifth input
information calculating part 122, a fourth output information
calculating part 27, and a fourth calculating part 123, for
example. As shown in FIG. 5, the second randomizable sampler 22
comprises a sixth random number generating part 124, a seventh
random number generating part 125, a sixth input information
calculating part 126, a seventh input information calculating part
127, a fifth output information calculating part 28, and a fifth
calculating part 128, for example.
[0094] The fourth random number generating part 119, the fifth
random number generating part 120, the fourth input information
calculating part 121, the fifth input information calculating part
122, the fourth calculating part 123, the sixth random number
generating part 124, the seventh random number generating part 125,
the sixth input information calculating part 126, the seventh input
information calculating part 127 and the fifth calculating part 128
are included in the requesting apparatus 1. According to the third
embodiment, the fourth output information calculating part 27 and
the fifth output information calculating part 28 correspond to the
calculating apparatus 2.
[0095] According to the third embodiment, it is supposed that
x=(c.sub.1, c.sub.2), f(c.sub.1, c.sub.2) is a homomorphism from a
direct product group G.times.G to the group G, the generator of the
group G is .mu..sub.g, the order of the group G is K.sub.G, and the
requesting apparatus 1 and the calculating apparatus 2 previously
have knowledge of a cipher text (V, W).epsilon.H and a decrypted
text f(V, W)=Y.epsilon.G resulting from decryption of the cipher
text for a same secret key s.
[0096] According to the third embodiment, Step S3 is composed of
Steps S31' to S36' illustrated in FIG. 9.
[0097] The fourth random number generating part 119 generates a
uniform random number r.sub.4 that is an integer equal to or
greater than 0 and smaller than K.sub.G (Step S31'). The generated
random number r.sub.4 is transmitted to the fourth input
information calculating part 121, the fifth input information
calculating part 122 and the fourth calculating part 123.
[0098] The fifth random number generating part 120 generates a
uniform random number r.sub.5 that is an integer equal to or
greater than 0 and smaller than K.sub.G (Step S32'). The generated
random number r.sub.5 is transmitted to the fourth input
information calculating part 121 and the fourth calculating part
123.
[0099] The fourth input information calculating part 121 calculates
fourth input information c.sub.1.sup.bV.sup.r4.mu..sub.g.sup.r5
(Step S33'). The calculated fourth input information
c.sub.1.sup.bV.sup.r4.mu..sub.g.sup.r5 is transmitted to the fourth
output information calculating part 27.
[0100] The fifth input information calculating part 122 calculates
fifth input information c.sub.2.sup.bW.sup.r4 (Step S34'). The
calculated fifth input information c.sub.2.sup.bW.sup.r4 is
transmitted to the fourth output information calculating part
27.
[0101] The fourth output information calculating part 27 performs a
calculation using the fourth input information
c.sub.1.sup.bV.sup.r4.mu..sub.g.sup.r5 and the fifth input
information c.sub.2.sup.bW.sup.r4 and designates the calculation
result as fourth output information z.sub.4 (Step S35').
[0102] The fourth output information calculating part 27 is capable
of calculating f(c.sub.1.sup.bV.sup.r4.mu..sub.g.sup.r5,
c.sub.2.sup.bW.sup.r4). The result of the calculation performed by
the fourth output information calculating part 27 may be or may not
be f(c.sub.1.sup.b.mu..sub.g.sup.r5, c.sub.2.sup.bW.sup.r4).
[0103] The fourth calculating part 123 calculates
z.sub.4Y.sup.-r4.mu..sub.g.sup.-r5 and designates the calculation
result as u (Step S36'). The calculation result u is transmitted to
the first exponentiation part 13. Note that
u=z.sub.4Y.sup.-r4.mu..sub.g.sup.-r5=f(c.sub.1,
c.sub.2).sup.bx.sub.1. That is, z.sub.4Y.sup.-r4.mu..sub.g.sup.-r5
is a randomizable sampler with an error X.sub.1 for f(c.sub.1,
c.sub.2). A reason therefor will be described later.
[0104] According to the third embodiment, Step S6 is composed of
Steps S61' to S66' illustrated in FIG. 10.
[0105] The sixth random number generating part 124 generates a
uniform random number r.sub.6 that is an integer equal to or
greater than 0 and smaller than K.sub.G (Step S61'). The generated
random number r.sub.6 is transmitted to the sixth input information
calculating part 126, the seventh input information calculating
part 127 and the fifth calculating part 128.
[0106] The seventh random number generating part 125 generates a
uniform random number r.sub.7 that is an integer equal to or
greater than 0 and smaller than K.sub.G (Step S62'). The generated
random number r.sub.7 is transmitted to the sixth input information
calculating part 126 and the fifth calculating part 128.
[0107] The sixth input information calculating part 126 calculates
sixth input information c.sub.1.sup.aV.sup.r6.mu..sub.g.sup.r7
(Step S63'). The calculated sixth input information
c.sub.1.sup.aV.sup.r6.mu..sub.g.sup.r7 is transmitted to the fifth
output information calculating part 28.
[0108] The seventh input information calculating part 127
calculates seventh input information c.sub.2.sup.aW.sup.r6 (Step
S64'). The calculated seventh input information
c.sub.2.sup.aW.sup.r6 is transmitted to the fifth output
information calculating part 28.
[0109] The fifth output information calculating part 28 performs a
calculation using the sixth input information
c.sub.1.sup.aV.sup.r6.mu..sub.g.sup.r7 and the seventh input
information c.sub.2.sup.aW.sup.r6 and designates the calculation
result as fifth output information z.sub.5 (Step S65'). The
calculated fifth output information z.sub.5 is transmitted to the
fifth calculating part 128.
[0110] The fifth output information calculating part 28 is capable
of calculating f(c.sub.1.sup.aV.sup.r6.mu..sub.g,
c.sub.2.sup.aW.sup.r6). The result of the calculation performed by
the fifth output information calculating part 28 may be or may not
be f(c.sub.1.sup.aV.sup.r6.mu..sub.g, c.sub.2.sup.aW.sup.r6).
[0111] The fifth calculating part 128 calculates
z.sub.5Y.sup.-r6.mu..sub.g.sup.-r7 and designates the calculation
result as v (Step S66'). The calculation result v is transmitted to
the second exponentiation part 16. Note that
v=z.sub.5Y.sup.-r6.mu..sub.g.sup.-r7=f(c.sub.1,
c.sub.2).sup.ax.sub.2. That is, z.sub.5Y.sup.-r6.mu..sub.g.sup.-r7
is a randomizable sampler with an error X.sub.2 for f(c.sub.1,
c.sub.2). A reason therefor will be described later.
[0112] <<Reason why z.sub.4Y.sup.-r4.mu..sub.g.sup.-r5 and
z.sub.5Y.sup.-r6.mu..sub.g.sup.-r7 are Randomizable Samplers with
Errors X.sub.1 and X.sub.2 For f(c.sub.1, c.sub.2),
Respectively>>
[0113] It is supposed that c denotes a natural number, R.sub.1,
R.sub.2, R.sub.1' and R.sub.2' denote random numbers, the result of
the calculation performed by the calculating apparatus 2 using
c.sub.1V.sup.R1.mu..sub.g.sup.R2 and c.sub.2.sup.cW.sup.R1) is
denoted as B(c.sub.1.sup.cV.sup.R1.mu..sub.g.sup.R2,
c.sub.2.sup.cW.sup.R1) (that is
z=B(c.sub.1.sup.cV.sup.R1.mu..sub.g.sup.R2, c.sub.2.sup.cW.sup.R1)
provided that z is the calculation result returned to the
requesting apparatus 1 from the calculating apparatus 2), and the
random variable X whose value is an element of the group G is
defined as X<B(V.sup.R1'.mu..sub.g.sup.R2',
W.sup.R1')f(V.sup.R1'.mu..sub.g.sup.R2', W.sup.R1').sup.-1.
[0114] Then,
zY.sup.-R1.mu..sub.g.sup.-R2=B(c.sub.1.sup.cV.sup.R1.mu..sub.g.sup.R2,
c2.sup.cW.sup.R1)Y.sup.--R1.mu..sub.g.sup.-R2=Xf(c.sub.1.sup.cV.sup.R1.mu-
..sub.g.sup.R2,
c.sub.2.sup.cW.sup.R1)Y.sup.-R1.mu..sub.g.sup.-R2=Xf(c.sub.1,
c.sub.2).sup.cf(.mu..sub.g,
e.sub.g).sup.R2Y.sup.-R1.mu..sub.g.sup.-R2=Xf(c.sub.1,
c.sub.2).sup.cY.sup.R1.mu..sub.g.sup.R2Y.sup.-R1.mu..sub.g.sup.-R2=f(c.su-
b.1, c.sub.2).sup.cX. That is, zY.sup.-R1.mu..sub.g.sup.-R2 is a
randomizable sampler with an error X for f(x). Note that e.sub.g is
a unit element of the group G.
[0115] In development of the formula described above, properties
are used that X=B(V.sup.R1'.mu..sub.g.sup.-2',
W.sup.R1')f(V.sup.R1'.mu..sub.g.sup.R2',
W.sup.R1').sup.-1=B(c.sub.1.sup.cV.sup.R1.mu..sub.g.sup.R2,
c.sub.2.sup.cW.sup.R1)f(c.sub.1.sup.cV.sup.R1.mu..sub.g.sup.R2,
c.sub.2.sup.cW.sup.R1) and
B(c.sub.1.sup.cV.sup.R1.mu..sub.g.sup.R2,
c.sub.2.sup.cW.sup.R1)=Xf(c.sub.1.sup.cV.sup.R1.mu..sub.g.sup.R2,
c.sub.2.sup.cW.sup.R1). These properties are based on the fact that
R.sub.1, R.sub.2, R.sub.1' and R.sub.2' are random numbers.
[0116] Therefore, taking into consideration the facts that a and b
are natural numbers, and r.sub.4, r.sub.5, r.sub.6 and r.sub.7 are
random numbers, z.sub.4Y.sup.-r4.mu..sub.g.sup.-r5 and
z.sub.5Y.sup.-r6.mu..sub.g.sup.-r7 are randomizable samplers with
errors X.sub.1 and X.sub.2 for f(c.sub.1, c.sub.2),
respectively.
Modifications of First to Third Embodiment
[0117] The random variables X.sub.1, X.sub.2 and X.sub.3 may be the
same or differ from each other.
[0118] When each of the first random number generating part 110,
the second random number generating part 113, the third random
number generating part 116, the fourth random number generating
part 119, the fifth random number generating part 120, the sixth
random number generating part 124 and the seventh random number
generating part 125 generates a uniform random number, the security
of the proxy calculation system is at the highest level. However,
when such a high security level is not required, each of the first
random number generating part 110, the second random number
generating part 113, the third random number generating part 116,
the fourth random number generating part 119, the fifth random
number generating part 120, the sixth random number generating part
124 and the seventh random number generating part 125 may generate
a random number that is not a uniform random number.
[0119] In the examples described above, each of the first
randomizable sampler 21 and the second randomizable sampler 22 is
invoked once. Alternatively, in order to reduce the number of
communications between the requesting apparatus 1 and the
calculating apparatus 2, the first randomizable sampler 21 and the
second randomizable sampler 22 may be invoked a plurality of times
for the same values of a and b to allow the requesting apparatus 1
to acquire a plurality of values of u and v in one
communication.
[0120] The first randomizable sampler 21, the second randomizable
sampler 22 and the sampler 23 may be provided in the requesting
apparatus 1 or the calculating apparatus 2. In other words, all
these components may be provided in the calculating apparatus 2 as
shown in the first embodiment, or some of these components may be
provided in the requesting apparatus 1, and the others may be
provided in the calculating apparatus 2 as shown in the second and
third embodiments, for example.
[0121] The parts of the requesting apparatus 1 may exchange data
directly or via a storage part (not shown). Similarly, the parts of
the calculating apparatus 2 may exchange data directly or via a
storage part (not shown).
[0122] Each of the requesting apparatus 1 and the calculating
apparatus 2 can be implemented by a computer. In this case,
specific processings of the functions that the apparatus has to
have are described in a program. The computer executes the program,
thereby implementing each processing function of the apparatus.
[0123] The program that describes the specific processings can be
recorded in a computer-readable recording medium. As an alternative
to using a computer that executes a predetermined program to
provide these apparatuses, at least part of these specific
processings may be implemented in a hardware form.
Fourth Embodiment
[0124] According to fourth to tenth embodiments, .theta.(g, h) is
calculated using the result of a calculation performed by a
calculating apparatus 2' in response to a request from a requesting
apparatus 1'.
[0125] As illustrated in FIG. 11, a proxy calculation system
according to the fourth embodiment comprises the requesting
apparatus 1' and the calculating apparatus 2' and calculates a
bi-homomorphism .theta.(g, h) using the result of a calculation
performed by the calculating apparatus 2' in response to the
requesting apparatus P.
[0126] It is supposed that G, H and F denote cyclic groups, a map
.theta.: G.times.H.fwdarw.F is a bi-homomorphism, g denotes an
element of the group G, h denotes an element of the group H,
K.sub.G denotes the order of the group G, K.sub.H denotes the order
of the group H, .mu..sub.g denotes the generator of the group G,
.mu..sub.h denotes the generator of the group H,
.nu.=.theta.(.mu..sub.g, .mu..sub.h), k denotes a security
parameter that is an integer equal to or greater than 1, and
K=2.sup.k.
[0127] The "bi-homomorphism" means a map that is homomorphic to
each of two inputs. In this example, the map .theta.(g, h) is
homomorphic to the element g of the group G and to the element h of
the group H.
[0128] There is a communication channel established between the
requesting apparatus 1' and the calculating apparatus 2', and the
requesting apparatus 1' and the calculating apparatus 2' can
bidirectionally communicate with each other. The communication
channel does not have to be concealed, and a third party can
intercept the information passing through the communication
channel.
[0129] The requesting apparatus 1' transmits information scrambled
with a random number to the untrusted and/or reliable calculating
apparatus 2', and the calculating apparatus 2' performs a
calculation using the scrambled information according to a certain
algorithm and transmits the calculation result back to the
requesting apparatus V. The requesting apparatus 1' finally
calculates .theta.(g, h) by repeating information transmission to
and reception from the calculating apparatus 2'.
[0130] The requesting apparatus 1' first calculate information
(.sigma., .nu.') that is equivalent to .theta.(g, .mu..sub.4)
through a process from Step S11' to Step S125' (see FIG. 15), and
then calculates .theta.(g, .mu.) through a process from Step S21'
to Step S225' using the information (.sigma., .nu.') that is
equivalent to .theta.(g, .mu..sub.h).
[0131] As illustrated in FIGS. 12 and 13, the requesting apparatus
1' comprises a first random number generating part 11', a second
random number generating part 12', a first input information
calculating part 13', a second input information calculating part
14', a first list information calculating part 15', a first list
storage part 16', a receiving part 17', a transmitting part 18', a
fourth random number generating part 21', a fifth random number
generating part 22', a third input information calculating part
23', a fourth input information calculating part 24', a second list
information calculating part 25', a second list storage part 26', a
third random number generating part 27', a first determining part
28', a sixth random number generating part 31', a seventh random
number generating part 32', a fifth input information calculating
part 33', a sixth input information calculating part 34', a third
list information calculating part 35', a third list storage part
36', a ninth random number generating part 41', a tenth random
number generating part 42', a seventh input information calculating
part 43', an eighth input information calculating part 44', a
fourth list information calculating part 45', a fourth list
calculating part 46', an eighth random number generating part 47'
and a second determining part 48', for example.
[0132] As illustrated in FIG. 14, the calculating apparatus 2'
comprises a receiving part 51', a transmitting part 52', a first
output information calculating part 53', a second output
information calculating part 54', a third output information
calculating part 55' and a fourth output information calculating
part 56', for example.
[0133] <Step S11' (FIG. 15)>
[0134] The first random number generating part 11' generates a
uniform random number r.sub.1 that is equal to or greater than 0
and smaller than K.sub.G (Step S11'). The generated random number
r.sub.1 is transmitted to the first input information calculating
part 13' and the first list information calculating part 15'.
[0135] <Step S12'>
[0136] The second random number generating part 12' generates a
uniform random number r.sub.2 that is equal to or greater than 0
and smaller than K.sub.H (Step S12'). The generated random number
r.sub.2 is transmitted to the second input information calculating
part 14', the first list information calculating part 15' and the
first list storage part 16'.
[0137] <Step S13'>
[0138] The first input information calculating part 13' calculates
first input information g.sub.1=.mu..sub.g.sup.r1g (Step S13'). The
calculated information g.sub.1 is transmitted to the transmitting
part 18'.
[0139] The superscript "r1" of .mu..sub.g means r.sub.1. In this
way, in this application, in an expression
.alpha..sup..beta..gamma. where a denotes a first character, .beta.
denotes a second character and .gamma. denotes a numeral,
.beta..gamma. means .beta..sub..gamma., that is, .gamma. is a
subscript of .beta..
[0140] To calculate g.sub.1=.mu..sub.g.sup.r1g means to calculate
the value of g.sub.1 defined by the formula .mu..sub.g.sup.r1g. Any
calculation process can be used as far as the value of the formula
.mu..sub.g.sup.r1g can be finally calculated. The same holds true
for calculation of any other formulas found in this
application.
[0141] <Step S14'>
[0142] The second input information calculating part 14' calculates
second input information h.sub.1=.mu..sub.h.sup.r2 (Step S14'). The
calculated information h.sub.1 is transmitted to the transmitting
part 18'.
[0143] <Step S15'>
[0144] The transmitting part 18' transmits the first input
information g.sub.1 and the second input information h.sub.1 to the
calculating apparatus 2' (Step S15').
[0145] <Step S16'>
[0146] The receiving part 51'(FIG. 14) of the calculating apparatus
2' receives the first input information g.sub.1 and the second
input information h.sub.1 (Step S16').
[0147] <Step S17'>
[0148] The first output information calculating part 53' performs a
calculation using the first input information g.sub.1 and the
second input information h.sub.1 and designates the calculation
result as first output information z.sub.1 (Step S17'). The first
output information z.sub.1 is transmitted to the transmitting part
52'.
[0149] The first output information calculating part 53' is capable
of calculating .theta.(g.sub.1, h.sub.1). The result of the
calculation performed by the first output information calculating
part 53' may be or may not be .theta.(g.sub.1, h.sub.1).
[0150] In this application, the expression "be capable of
calculating" means that a calculation is possible with a
non-negligible probability. The expression "non-negligible
probability" means a probability equal to or higher than 1/f(k),
where f(k) denotes a polynomial that is a monotonically increasing
function of a security parameter k in a broad sense.
[0151] <Step S18'>
[0152] The transmitting part 52' transmits the first output
information z.sub.1 to the requesting apparatus 1' (Step S18').
[0153] <Step S19'>
[0154] The receiving part 17' (FIG. 12) of the requesting apparatus
1' receives the first output information z.sub.1 (Step S19'). The
received first output information z.sub.1 is transmitted to the
first list information calculating part 15'. In this example, it is
supposed that the first output information z.sub.1 is an element of
the group F.
[0155] <Step S110'>
[0156] The first list information calculating part 15' calculates
z.sub.1.nu..sup.-r1r2 using the random numbers r.sub.1 and r.sub.2
and the first output information z.sub.1 (Step S110'). The
calculated z.sub.1.nu..sup.-r1r2 is transmitted to the first list
storage part 16'.
[0157] <Step S111'>
[0158] An information set (r.sub.2, z.sub.1.nu..sup.-r1r2) composed
of the random number r.sub.2 and the calculated
z.sub.1.nu..sup.-r1r2 is added to a list L.sub.1. In this example,
the first list storage part 16' stores the information set
(r.sub.2, z.sub.1.nu..sup.-r1r2) (Step S111').
[0159] <Step S112'>
[0160] The third random number generating part 27' generates a
uniform random number d.sub.1 that is equal to or greater than 0
and smaller than K (Step S112'). The generated random number
d.sub.1 is transmitted to the third input information calculating
part 23' and the second list storage part 26'.
[0161] <Step S113'>
[0162] The fourth random number generating part 21' generates a
uniform random number r.sub.4 that is equal to or greater than 0
and smaller than K.sub.G (Step S113'). The generated random number
r.sub.4 is transmitted to the third input information calculating
part 23' and the second list information calculating part 25'.
[0163] <Step S114'>
[0164] The fifth random number generating part 22' generates a
uniform random number r.sub.5 that is equal to or greater than 0
and smaller than K.sub.H (Step S114'). The generated random number
r.sub.5 is transmitted to the fourth input information calculating
part 24', the second list information calculating part 25' and the
second list storage part 26'.
[0165] <Step S115'>
[0166] The third input information calculating part 23' calculates
third input information g.sub.2=.mu..sub.g.sup.r4g.sup.d1 (Step
S115'). The calculated third input information g.sub.2 is
transmitted to the transmitting part 18'.
[0167] <Step S116'>
[0168] The fourth input information calculating part 24' calculates
fourth input information h.sub.2=.mu..sub.h.sup.r5 (Step S116').
The calculated fourth input information h.sub.2 is transmitted to
the transmitting part 18'.
[0169] <Step S117'>
[0170] The transmitting part 18' transmits the third input
information g.sub.2 and the fourth input information h.sub.2 to the
calculating apparatus 2' (Step S117').
[0171] <Step S118'>
[0172] The receiving part 51' (FIG. 14) of the calculating
apparatus 2' receives the third input information g.sub.2 and the
fourth input information h.sub.2 (Step S118').
[0173] <Step S119'>
[0174] The second output information calculating part 54' performs
a calculation using the third input information g.sub.2 and the
fourth input information h.sub.2 and designates the calculation
result as second output information z.sub.2 (Step S119'). The
second output information z.sub.2 is transmitted to the
transmitting part 52'.
[0175] The second output information calculating part 54' is
capable of calculating .theta.(g.sub.2, h.sub.2). The result of the
calculation performed by the second output information calculating
part 54' may be or may not be .theta.(g2, h.sub.2).
[0176] <Step S120'>
[0177] The transmitting part 52' transmits the second output
information z.sub.2 to the requesting apparatus 1' (Step
S120').
[0178] <Step S121'>
[0179] The receiving part 17' (FIG. 12) of the requesting apparatus
1' receives the second output information z.sub.2 (Step S121'). The
received second output information z.sub.2 is transmitted to the
second list information calculating part 25'. In this example, it
is supposed that the second output information z.sub.2 is an
element of the group F.
[0180] <Step S122'>
[0181] The second list information calculating part 25' calculates
z.sub.2.nu..sup.-r4r5 using the random numbers r.sub.4 and r.sub.5
and the second output information z.sub.2 (Step S122'). The
calculated z.sub.2.nu..sup.-r4r5 is transmitted to the second list
storage part 26'.
[0182] <Step S123'>
[0183] An information set (d.sub.1, r.sub.5, z.sub.2.nu..sup.-r4r5)
composed of the random numbers d.sub.1 and r.sub.5 and the
calculated z.sub.2.nu..sup.-r4r5 is added to a list L.sub.2. In
this example, the second list storage part 26' stores the
information set (d.sub.1, r.sub.5, z.sub.2.nu..sup.-r4r5) (Step
S123').
[0184] <Step S124'>
[0185] Provided the first element and the second element of the
information set read from the first list storage part 16' are
denoted by s.sub.1 and w.sub.1, respectively, and the first
element, the second element and the third element of the
information set read from the second list storage part 26' are
denoted by t.sub.2, s.sub.2 and w.sub.2, respectively, the first
determining part 28' determines whether or not these information
sets satisfy a relation (w.sub.1)
(t.sub.2s.sub.2s.sub.1.sup.-1)=w.sub.2 (Step S124').
[0186] When the first list storage part 16' and the second list
storage part 26' store a plurality of information sets, the first
determining part 28' makes the determination of whether the
relation described above is satisfied or not for every pair of the
information set (r.sub.2, z.sub.1.nu..sup.-r1r2) stored in the
first list storage part 16' and the information set (d.sub.1,
r.sub.5, z.sub.2.nu..sup.-r4r5) stored in the second list storage
part 26'. Of course, the determination processing can be omitted
for an information pair for which the determination of whether the
relation described above is satisfied or not has already been
made.
[0187] <Step S125'>
[0188] If the relation described above is satisfied, the first
determining part 28' substitutes s.sub.1 for .sigma. and w.sub.1
for .nu.' (Step S125'). Note that
.nu.'.sup.1/.sigma.=w.sub.1.sup.1/.sigma.=.theta.(g, .mu..sub.h). A
reason why the relation .nu.'.sup.1/.sigma.=.theta.(g, .mu..sub.h)
holds will be described later.
[0189] If the relation described above is not satisfied, the
process returns to Step S11'.
[0190] <Step S21' (FIG. 16)>
[0191] The sixth random number generating part 31' generates a
uniform random number r.sub.6 that is equal to or greater than 0
and smaller than K.sub.G (Step S21'). The generated random number
r.sub.6 is transmitted to the fifth input information calculating
part 33', the third list information calculating part 35' and the
third list storage part 36'.
[0192] <Step S22'>
[0193] The seventh random number generating part 32' generates a
uniform random number r.sub.7 that is equal to or greater than 0
and smaller than K.sub.H (Step S22'). The generated random number
r.sub.7 is transmitted to the sixth input information calculating
part 34' and the third list information calculating part 35'.
[0194] <Step S23'>
[0195] The fifth input information calculating part 33' calculates
fifth input information g.sub.3=.mu..sub.g.sup.r6 (Step S23'). The
calculated information g.sub.3 is transmitted to the transmitting
part 18'.
[0196] <Step S24'>
[0197] The sixth input information calculating part 34' calculates
sixth input information h.sub.3=.mu..sub.h.sup.r7.sigma.h (Step
S24'). The calculated information h.sub.3 is transmitted to the
transmitting part 18'.
[0198] <Step S25'>
[0199] The transmitting part 18' transmits the fifth input
information g.sub.3 and the sixth input information h.sub.3 to the
calculating apparatus 2' (Step S25').
[0200] <Step S26'>
[0201] The receiving part 51' (FIG. 14) of the calculating
apparatus 2' receives the fifth input information g.sub.3 and the
sixth input information h.sub.3 (Step S26').
[0202] <Step S27'>
[0203] The third output information calculating part 55' performs a
calculation using the fifth input information g.sub.3 and the sixth
input information h.sub.3 and designates the calculation result as
third output information z.sub.3 (Step S27'). The third output
information z.sub.3 is transmitted to the transmitting part
52'.
[0204] The third output information calculating part 55' is capable
of calculating .theta.(g.sub.3, h.sub.3). The result of the
calculation performed by the third output information calculating
part 55' may be or may not be .theta.(g.sub.3, h.sub.3).
[0205] <Step S28'>
[0206] The transmitting part 52' transmits the third output
information z.sub.3 to the requesting apparatus 1' (Step S28').
[0207] <Step S29'>
[0208] The receiving part 17' (FIG. 13) of the requesting apparatus
1' receives the third output information z.sub.3 (Step S29'). The
received third output information z.sub.3 is transmitted to the
third list information calculating part 35'. In this example, it is
supposed that the third output information z.sub.3 is an element of
the group F.
[0209] <Step S210'>
[0210] The third list information calculating part 35' calculates
z.sub.3.nu.'.sup.-r6r7 using the random numbers r.sub.6 and r.sub.7
and the third output information z.sub.3 (Step S210'). The
calculated z.sub.3.nu.'.sup.-r6r7 is transmitted to the third list
storage part 36'.
[0211] <Step S211'>
[0212] An information set (r.sub.6, z.sub.3.nu.'.sup.-r6r7)
composed of the random number r.sub.6 and the calculated
z.sub.3.nu.'.sup.-r6r7 is added to a list L.sub.3. In this example,
the third list storage part 36' stores the information set
(r.sub.6, z.sub.3.nu.'.sup.-r6r7) (Step S211').
[0213] <Step S212'>
[0214] The eighth random number generating part 47' generates a
uniform random number d.sub.2 that is equal to or greater than 0
and smaller than K (Step S212'). The generated random number
d.sub.2 is transmitted to the eighth input information calculating
part 44' and the fourth list storage part 46'.
[0215] <Step S213'>
[0216] The ninth random number generating part 41' generates a
uniform random number r.sub.9 that is equal to or greater than 0
and smaller than K.sub.G (Step S213'). The generated random number
r.sub.9 is transmitted to the seventh input information calculating
part 43', the fourth list information calculating part 45' and the
fourth list storage part 46'.
[0217] <Step S214'>
[0218] The tenth random number generating part 42' generates a
uniform random number r.sub.10 that is equal to or greater than 0
and smaller than K.sub.H (Step S214'). The generated random number
r.sub.10 is transmitted to the eighth input information calculating
part 44', the fourth list information calculating part 45' and the
fourth list storage part 46'.
[0219] <Step S215'>
[0220] The seventh input information calculating part 43'
calculates seventh input information g.sub.4=g.sup.r9 (Step S215').
The calculated seventh input information g.sub.4 is transmitted to
the transmitting part 18'.
[0221] <Step S216'>
[0222] The eighth input information calculating part 44' calculates
eighth input information h.sub.4=.mu..sub.h.sup.r10.sigma.h.sup.d2
(Step S216'). The calculated eighth input information h.sub.4 is
transmitted to the transmitting part 18'.
[0223] <Step S217'>
[0224] The transmitting part 18' transmits the seventh input
information g.sub.4 and the eighth input information h.sub.4 to the
calculating apparatus 2' (Step S217').
[0225] <Step S218'>
[0226] The receiving part 51' (FIG. 14) of the calculating
apparatus 2' receives the seventh input information g.sub.4 and the
eighth input information h.sub.4 (Step S218').
[0227] <Step S219'>
[0228] The fourth output information calculating part 56' performs
a calculation using the seventh input information g.sub.4 and the
eighth input information h.sub.4 and designates the calculation
result as fourth output information z.sub.4 (Step S219'). The
fourth output information z.sub.4 is transmitted to the
transmitting part 52'.
[0229] The fourth output information calculating part 56' is
capable of calculating .theta.(g.sub.4, h.sub.4). The result of the
calculation performed by the fourth output information calculating
part 56' may be or may not be .theta.(g.sub.4, h.sub.4).
[0230] <Step S220'>
[0231] The transmitting part 52' transmits the fourth output
information z.sub.4 to the requesting apparatus 1' (Step
S220').
[0232] <Step S221'>
[0233] The receiving part 17' (FIG. 12) of the requesting apparatus
1' receives the fourth output information z.sub.4 (Step S221). The
received fourth output information z.sub.4 is transmitted to the
fourth list information calculating part 45'. In this example, it
is supposed that the fourth output information z.sub.4 is an
element of the group F.
[0234] <Step S222'>
[0235] The fourth list information calculating part 45' calculates
z.sub.4.nu.'.sup.-r9r10 using the random numbers r.sub.9 and
r.sub.10 and the fourth output information z.sub.4 (Step S222').
The calculated z.sub.4.nu.'.sup.-r9r10 is transmitted to the fourth
list storage part 46'.
[0236] <Step S223'>
[0237] An information set (d.sub.2, r.sub.9,
z.sub.4.nu.'.sup.-r9r10) composed of the random numbers d.sub.2 and
r.sub.9 and the calculated z.sub.4.nu.'.sup.-r9r10 is added to a
list L.sub.4. In this example, the fourth list storage part 46'
stores the information set (d.sub.2, r.sub.9,
z.sub.4.nu.'.sup.-r9r10) (Step S223').
[0238] <Step S224'>
[0239] Provided the first element and the second element of the
information set read from the third list storage part 36' are
denoted by s.sub.3 and w.sub.3, respectively, and the first
element, the second element and the third element of the
information set read from the fourth list storage part 46' are
denoted by t.sub.4, s.sub.4 and w.sub.4, respectively, the second
determining part 48' determines whether or not these information
sets satisfy a relation (w.sub.3)
(t.sub.4s.sub.4s.sub.3.sup.-1)=w.sub.4 (Step S224').
[0240] When the third list storage part 36' and the fourth list
storage part 46' store a plurality of information sets, the second
determining part 48' makes the determination of whether the
relation described above is satisfied or not for every pair of the
information set (r.sub.6, z.sub.3.nu.'.sup.-r6r7) stored in the
third list storage part 36' and the information set (d.sub.2,
r.sub.9, z.sub.4.nu..sup.-r9r10 stored in the fourth list storage
part 46'. Of course, the determination processing can be omitted
for an information pair for which the determination of whether the
relation described above is satisfied or not has already been
made.
[0241] <Step S225'>
[0242] If the relation described above is satisfied, the second
determining part 48' outputs (w.sub.3) (s.sub.3.sup.-1) (Step
S225'). Note that (w.sub.3) (s.sub.3.sup.-1)=.theta.(g, h). A
reason why the relation (w.sub.3) (s.sub.3.sup.-1)=.theta.(g, h)
holds will be described later.
[0243] If the relation described above is not satisfied, the
process returns to Step S21'.
[0244] When it is difficult to calculate (w.sub.3)
(s.sub.3.sup.-1), that is, a root of w.sub.3, .theta.(g, h) can be
easily calculated in the following manner. The second determining
part 48' stores in a storage part 410' sets (w.sub.3, s.sub.3) of
the values w.sub.3 and s.sub.3 that satisfy the relation (w.sub.3)
(t.sub.4s.sub.4s.sub.3.sup.-1) as a sequence of sets
(.alpha..sub.1, S.sub.1), (.alpha..sub.2, S.sub.2), . . . ,
(.alpha..sub.m, S.sub.m) by repeating the process from Step S21' to
Step S224'. Note that m denotes a natural number. If S.sub.m that
is relatively prime to S.sub.1 is found, the second determining
part 48' calculates integers L.sub.1 and L.sub.2 that satisfy a
relation L.sub.1S.sub.1+L.sub.2S.sub.m=1, and calculates
.alpha..sub.1.sup.L1.alpha..sub.m.sup.L2 using the integers L.sub.1
and L.sub.2. .alpha..sub.1.sup.L1.alpha..sub.m.sup.L2=.theta.(g,
h).sup.(L1S1+L2S2)=.theta.(g, h). When the least common multiple of
S.sub.1, S.sub.2, . . . and S.sub.m is 1, the second determining
part 48' can calculate integers L.sub.1, L.sub.2, . . . and
L.sub.m, that satisfy a relation L.sub.1S.sub.1+L.sub.2S.sub.2+ . .
. +L.sub.mS.sub.m=1, and calculate
.alpha..sub.1.sup.L1.alpha..sub.2.sup.L2 . . . .alpha..sub.m.sup.Lm
using the integers L.sub.1, L.sub.2, . . . , L.sub.m.
.alpha..sub.1.sup.L1.alpha..sub.2.sup.L2 . . .
.alpha..sub.m.sup.Lm=.theta.(g, h).sup.(L1S1+L2S2+ . . .
+LmSm)=.theta.(g, h).
[0245] Even if there is an attacker M who can intercept the
communication between the requesting apparatus 1' and the
calculating apparatus 2', the information exchanged between the
requesting apparatus 1' and the calculating apparatus 2' can be
concealed from the attacker M by scrambling the information with
random numbers (r.sub.1, r.sub.2, for example) that are known only
to the requesting apparatus F.
[0246] Since the information exchanged between the requesting
apparatus 1' and the calculating apparatus 2' is scrambled with
random numbers, such as r.sub.1 and r.sub.2, that are known only to
the requesting apparatus 1', the calculating apparatus 2' cannot
even know the inputs g and h of .theta.(g, h), to say nothing of
.theta.(g, h) to be finally calculated by the requesting apparatus
1'.
[0247] Therefore, the calculating apparatus 2' does not have to be
a trusted calculator, so that the requirements on the configuration
of the system for calculating a bi-homomorphism can be reduced.
Since the calculating apparatus 2' does not have to be a trusted
calculator, which is generally expensive and requires high
operational cost, the cost of construction and operation of the
system for calculating a bi-homomorphism can be reduced.
[0248] <<Reason why .nu.'.sup.1/.sigma.=.theta.(g,
.mu..sub.h)>>
[0249] A random variable S.sub.X(d), which is referred to as a
randomizable sampler, will be first described. The random variable
S.sub.X(d) that is a randomizable sampler with an error X for
w.epsilon.F is expressed as S.sub.X(d)=w.sup.dX, where d denotes a
natural number.
[0250] Provided that R.sub.1, R.sub.2, R.sub.1' and R.sub.2' denote
random numbers, the result of the calculation performed by the
calculating apparatus using g.sup.d.mu..sub.g.sup.R1 and
.mu..sub.h.sup.R2 is expressed as B(g.sup.d.mu..sub.g.sup.R1,
.mu..sub.h.sup.R2) ((z=B(g.sub.d.mu..sub.g.sup.R1,
.mu..sub.h.sup.R2) where z denotes the calculation result returned
to the requesting apparatus from the calculating apparatus), and a
random variable X whose value is an element of the group F is
defined as X=B(.mu..sub.g.sup.R'1,
.mu..sub.h.sup.R'2).sup.1/R'2.theta.(.mu..sub.g.sup.R'1,
.mu..sub.h).sup.-1, S.sub.X(d)=z.sup.(1/R2).nu..sup.-R1 is a
randomizable sampler with an error X for .theta.(g,
.mu..sub.h).
[0251] This is because
S.sub.X(d)=z.sup.(1/R2).nu..sup.-R1=B(g.sub.d.mu..sub.g.sup.R1,
.mu..sub.h.sup.R2).sup.1/R2.theta.(.mu..sub.g,
.mu..sub.h).sup.-R1=X.theta.(g.sub.d.mu..sub.g.sup.R1,
.mu..sub.h).theta.(.mu..sub.g.sup.R1,
.mu..sub.h).sup.-1=X.theta.(g.sub.d,
.mu..sub.h).theta.(.mu..sub.g.sup.R1, .mu..sub.h).sup.-1=.theta.(g,
.mu..sub.h).sup.dX.
[0252] In development of the formula described above, properties
are used that X=B(.mu..sub.g.sup.R'1,
.mu..sub.h.sup.R'2).sup.1/R'2=.theta.(.mu..sub.g.sup.R'1,
.mu..sub.h).sup.-1=B(g.sub.d.mu..sub.g.sup.R1,
.mu..sub.h.sup.R2).sup.1/R2.theta.(g.sup.d.mu..sub.g.sup.R1,
.mu..sub.h).sup.-1 and B(g.sup.d.mu..sub.g.sup.R1,
.mu..sub.h.sup.R2).sup.1/R2=X.theta.(g.sup.d.mu..sub.g.sup.R1,
.mu..sub.h). These properties are based on the fact that R.sub.1,
R.sub.2, R.sub.1' and R.sub.2' are random numbers.
[0253] Provided that a realized value of S.sub.X(1) is expressed as
.theta.(g, .mu..sub.h).sup.1x.sub.1, and a realized value of
S.sub.X(d) is expressed as .theta.(g, .mu..sub.h).sup.dx.sub.2, the
inventor has found that the realized value of S.sub.X(1) raised to
the d-th power is highly likely to be equal to the realized value
of S.sub.X(d), that is, the relation (.theta.(g,
.mu..sub.h).sup.1x.sub.1).sup.d=.theta.(g, .mu..sub.h).sup.dx.sub.2
is highly likely to hold when x.sub.1 and x.sub.2 are a unit
element e.sub.f of the group F. The proof is omitted herein. When
x.sub.1 is the unit element e.sub.f of the group F, the realized
value of S.sub.X(1)=.theta.(g, .mu..sub.h).sup.1x.sub.1=.theta.(g,
.mu..sub.h).
[0254] The proxy calculation system according to the embodiments
described above uses these properties of the randomizable
sampler.
[0255] The process from Step S11' to Step S111' corresponds to
calculation of the realized value .theta.(g,
.mu..sub.h).sup.1x.sub.1 of S.sub.X(1). The realized value of
S.sub.X(1) itself is not actually calculated. However, using
(r.sub.2, z.sub.1.nu..sup.-r1r2) resulting from the process,
z.sub.1.nu..sup.-r1r2 is raised to the 1/r.sub.2-th power. The
resulting (z.sub.1.nu..sup.-r1r2).sup.1/r2 is equal to
z.sub.1.sup.1/r2.nu..sup.-r1, which is equal to the realized value
.theta.(g, .mu..sub.h).sup.1x.sub.1 of S.sub.X(1). Similarly, the
process from Step S112' to Step S123' corresponds to calculation of
the realized value .theta.(g, .mu..sub.h).sup.d1x.sub.2 of
S.sub.X(d.sub.1).
[0256] The processing of Step S124' corresponds to determination of
whether or not the realized value of S.sub.X(1) raised to the
d.sub.1th power is equal to S.sub.X(d.sub.1), that is, (.theta.(g,
.mu..sub.h)x.sub.1).sup.d1=.theta.(g, .mu..sub.h).sup.d1x.sub.2.
This is because the determination criterion (w.sub.1)
(t.sub.2s.sub.2s.sub.1.sup.-1) used in Step S124' is based on the
fact that (w.sub.1)
(t.sub.2s.sub.2s.sub.1.sup.-1)=w.sub.2(w.sub.1.sup.2/s1).sup.t2=w.sub.2.s-
up.1/s2(z.sub.1.sup.1/r2.nu..sup.-r1).sup.d1=z.sub.2.sup.1/r5.nu..sup.-r4(-
.theta.(g, .mu..sub.h).sup.1x.sub.1).sup.d1=.theta.(g,
.mu..sub.h).sup.d1x.sub.2 the realized value of S.sub.X(1) raised
to the d.sub.1-th power=the realized value of S.sub.X(1). Note
that, according to the definition, s.sub.1=r.sub.2,
w.sub.1=z.sub.1.nu..sup.-r1r2, t.sub.2=d.sub.1, S.sub.2=r.sub.5,
and w.sub.2=z.sub.2.nu..sup.-r4r5.
[0257] Furthermore, .sigma. and .nu.' in Step S125' correspond to
.theta.(g, .mu..sub.h). This is because
.nu.'.sup.1/.sigma.=w.sub.1.sup.1/s1=z.sub.1.sup.1/r2.nu..sup.-r1=.theta.-
(g, .mu..sub.h).sup.1x.sub.1=.theta.(g, .mu..sub.h) when the
realized value of S.sub.X(1) raised to the d.sub.1-th power=the
realized value of S.sub.X(d.sub.1) as described above.
[0258] <<Reason why (w.sub.3) (s.sub.3.sup.-1)=.theta.(g,
h)>>
[0259] Provided that R.sub.1, R.sub.2, R.sub.1' and R.sub.2' denote
random numbers, the result of the calculation performed by the
calculating apparatus using g.sup.R1 and h.sup.d.mu..sub.h.sup.R2
is expressed as B(g.sup.R1, h.sup.d.mu..sub.h.sup.R2)
(z=B(g.sup.R1, h.sup.d.mu..sub.h.sup.R2) where z denotes the
calculation result returned to the requesting apparatus from the
calculating apparatus), and a random variable X whose value is an
element of the group F is defined as X=B(g.sup.R'1,
.mu..sub.h.sup.R2).sup.1/R'1.theta.(g, .mu..sub.h.sup.R2).sup.-1,
S.sub.X(d)=z.sup.(1/R1).nu.'.sup.-R2 is a randomizable sampler with
an error X for .theta.(g, h).
[0260] This is because
S.sub.X(d)=z.sup.(1/R1).nu.'.sup.-R2=B(g.sup.R1,
h.sup.d.mu..sub.h.sup.R2).sup.1/R1.theta.(g,
.mu..sub.g).sup.-R2=X.theta.(g, h.sup.d.mu..sub.h.sup.R2).theta.(g,
.mu..sub.h.sup.R2).sup.-1=X.theta.(g, h.sup.d).theta.(g,
.mu..sub.h.sup.R2).theta.(g, .mu..sub.h.sup.R2).sup.-1=.theta.(g,
h).sup.dX.
[0261] In development of the formula described above, properties
are used that X=B(g.sup.R'1,
.mu..sub.h.sup.R'2).sup.1/R'1.theta.(g,
.mu..sub.h.sup.R'2).sup.-1=B(g.sup.R1,
.mu..sub.h.sup.R2).sup.1/R1.theta.(g,
h.sup.d.mu..sub.h.sup.R2).sup.-1 and B(g.sup.R1,
h.sup.d.mu..sub.h.sup.R2).sup.1/R1=X.theta.(g,
h.sup.d.mu..sub.h.sup.R1). These properties are based on the fact
that R.sub.1, R.sub.2, R.sub.1' and R.sub.2' are random
numbers.
[0262] Provided that a realized value of S.sub.X(1) is expressed as
.theta.(g, h).sup.1x.sub.1, and a realized value of S.sub.X(d) is
expressed as .theta.(g, h).sup.dx.sub.2, the inventor has found
that the realized value of S.sub.X(1) raised to the d-th power is
highly likely to be equal to S.sub.X(d), that is, the relation
(.theta.(g, h).sup.1x.sub.1).sup.d=.theta.(g, h).sup.dx.sub.2 is
highly likely to hold when x.sub.1 and x.sub.2 are a unit element
e.sub.f of the group F. The proof is omitted herein. When x.sub.1
is the unit element e.sub.f of the group F, the realized value of
S.sub.X(1)=.theta.(g, h).sup.1x.sub.1=.theta.(g, h).
[0263] The proxy calculation system according to the embodiments
described above uses these properties of the randomizable
sampler.
[0264] The process from Step S21' to Step S211' corresponds to
calculation of the realized value .theta.(g, h).sup.1x.sub.1 of
S.sub.X(1). The realized value of S.sub.X(1) itself is not actually
calculated. However, using (r.sub.6, z.sub.3.nu.'.sup.-r6r7)
resulting from the process, z.sub.3.nu.'.sup.-r6r7 is raised to the
1/r.sub.6-th power. The resulting (z.sub.3.nu.'.sup.-r6r7).sup.1/r6
is equal to z.sub.3.nu.'.sup.-r7, which is equal to the realized
value .theta.(g, h).sup.1x.sub.1 of S.sub.X(1). Similarly, the
process from Step S212' to Step S223' corresponds to calculation of
the realized value .theta.(g, h).sup.d2x2 of S.sub.X(d.sub.2).
[0265] The processing of Step S224' corresponds to determination of
whether or not the realized value of S.sub.X(1) raised to the
d.sub.2-th power is equal to the realized value of
S.sub.X(d.sub.2), that is, (.theta.(g,
h).sup.1x.sub.1).sup.d2=.theta.(g, h).sup.d2x.sub.2. This is
because the determination criterion (w.sub.3)
(t.sub.4s.sub.4s.sub.3.sup.-1)=w.sub.4 used in Step S224' is based
on the fact that (w.sub.3)
(t.sub.4s.sub.4s.sub.3.sup.-1)=w.sub.4(w.sub.3.sup.1/s3).sup.t4=w.sub.4.s-
up.1/s4(z3.sup.1/r6.nu.'.sup.-r7).sup.d2=z.sub.4.sup.1/r9.nu.'.sup.-r10(.t-
heta.(g, h).sup.1x.sub.1).sup.d2=.theta.(g, h).sup.d2x.sub.2 the
realized value of S.sub.X(1) raised to the d.sub.2-th power=the
realized value of S.sub.X(d.sub.2). Note that, according to the
definition, s.sub.3=.sub.r6, w.sub.3=z.sub.3.nu.'.sup.-r6r7,
t.sub.4=d.sub.2, s.sub.4=r.sub.9, and
w.sub.4=z.sub.4.nu.'.sup.-r9r10.
[0266] Furthermore, (w.sub.3) (s.sub.3.sup.-1) in Step S225'
corresponds to .theta.(g, h). This is because (w.sub.3).sup.
(s.sub.3.sup.-1) (z.sub.3.nu.'.sup.-r6r7)
(r.sub.6.sup.-1)=z.sub.3.sup.1/r6.nu.'.sup.r7=.theta.(g,
h).sup.1x.sub.1=.theta.(g, h) when the realized value of S.sub.X(1)
raised to the d.sub.2-th power=the realized value of
S.sub.X(d.sub.2) as described above.
Fifth Embodiment
[0267] A proxy calculation system according to a fifth embodiment
differs from the proxy calculation system according to the fourth
embodiment in Steps S13', S110' and S111' and is the same as the
proxy calculation system according to the fourth embodiment in the
other respects. The following description will be mainly focused on
the differences from the fourth embodiment.
[0268] The first input information calculating part 13' does not
calculate the first input information defined as
g.sub.1=.mu..sub.g.sup.r1g but calculates first input information
defined as g.sub.1=g.sup.r1 (Step S13').
[0269] The first list information calculating part 15' does not use
z.sub.1.nu..sup.-r1r2 but uses the random numbers r.sub.1 and
r.sub.2 to calculate r.sub.1r.sub.2, and transmits the calculation
result to the first list storage part 16' (Step S110').
[0270] The first list storage part 16' does not store the
information set (r.sub.2, z.sub.2.nu..sup.-r1r2) but stores
information set (r.sub.1r.sub.2, z.sub.1) composed of the
calculated r.sub.1r.sub.2 and z.sub.1.epsilon.F received from the
calculating apparatus 2' (Step S111').
[0271] While Step S110' in the fourth embodiment is to perform
exponentiation of z.sub.1.nu..sup.-r1r2 for the group F, Step S110'
in the fifth embodiment is to calculate r.sub.1r.sub.2, so that the
number of calculations is reduced by one. Since the number of
exponentiations is reduced in this way, the calculation efficiency
can be improved. If it is difficult to calculate a nontrivial root
for the groups G and H, the security does not deteriorate compared
with the fourth embodiment.
Sixth Embodiment
[0272] A proxy calculation system according to a sixth embodiment
differs from the proxy calculation system according to the fourth
embodiment in Steps S24', S210' and S211' and is the same as the
proxy calculation system according to the fourth embodiment in the
other respects. The following description will be mainly focused on
the differences from the fourth embodiment.
[0273] The sixth input information calculating part 34' does not
calculate the sixth input information defined as
h.sub.3=.mu..sub.h.sup.r7.sigma. but calculates sixth input
information defined as h.sub.3=h.sup.r7 (Step S24').
[0274] The third list information calculating part 35' does not use
z.sub.3.nu.'.sup.-r6r7 but uses the random numbers r.sub.6 and
r.sub.7 to calculate r.sub.6r.sub.7 (Step S210').
[0275] The third list storage part 36' does not store the
information set (r.sub.6, z.sub.3.nu.'.sup.-r6r7) but stores
information set (r.sub.6r.sub.7, z.sub.3) composed of the
calculated r.sub.6r.sub.7 and z.sub.3.epsilon.F received from the
calculating apparatus 2' (Step S211').
[0276] While Step S210' in the fourth embodiment is to perform
exponentiation of z.sub.3.nu.'.sup.-r6r7 for the group F, Step
S210' in the sixth embodiment is to calculate r.sub.6r.sub.7, so
that the number of calculations is reduced by one. Since the number
of exponentiations is reduced in this way, the calculation
efficiency can be improved.
[0277] If it is difficult to calculate a nontrivial root for the
groups G and H, the security does not deteriorate compared with the
fourth embodiment.
Seventh Embodiment
[0278] A proxy calculation system according to a seventh embodiment
differs from the proxy calculation system according to the fourth
embodiment in Steps S125' and S214' and is the same as the proxy
calculation system according to the fourth embodiment in the other
respects. The following description will be mainly focused on the
differences from the fourth embodiment.
[0279] If the relation described above is satisfied, the first
determining part 28' substitutes t.sub.1s.sub.2 for .sigma. and
w.sub.2 for .nu.' (Step S125').
[0280] The tenth random number generating part 42' calculate
-r.sub.9.sup.-1 using the random number r.sub.9 and designates the
calculation result as r.sub.10 (Step S214').
[0281] Since the definition of .nu.' is modified to make .sigma. a
random number that is difficult to guess in this way, the security
is improved. In addition, since the random number r.sub.9 is used
to calculate the random number r.sub.10, the number of generations
of random numbers can be reduced. It may seem that the randomness
of the eighth input information h.sub.4=.mu..sup.r10.sigma.h.sup.d2
decreases and the security deteriorates because the random number
r.sub.10 is determined by the random number r.sub.9, but the
security does not actually deteriorate because the eighth input
information h.sub.4=.mu..sub.h.sup.r10.sigma.h.sup.d2 is scrambled
not only with the random number r.sub.10 but also .sigma..
[0282] According to the seventh embodiment, Steps S22' and S211'
may also be modified as described below.
[0283] The seventh random number generating part 32' calculates
-r.sub.6.sup.-1 using the random number r.sub.6 and designates the
calculation result as r.sub.7 (Step S22').
[0284] The third list storage part 36' stores information set (1,
z.sub.3.nu.'.sup.-r6r7) composed of 1 and the calculated
z.sub.3.nu.'.sup.-r6r7 (Step S211').
[0285] Since the random number r.sub.7 is calculated using the
random number r.sub.6 in this way, the number of generations of
random numbers can be reduced.
[0286] If it is difficult to calculate a nontrivial root for the
groups G and H, the security does not deteriorate compared with the
fourth embodiment.
Eighth Embodiment
[0287] A proxy calculation system according to an eighth embodiment
differs from the proxy calculation system according to the fourth
embodiment in Step S113' and is the same as the proxy calculation
system according to the fourth embodiment in the other respects.
The following description will be mainly focused on the differences
from the fourth embodiment.
[0288] Before Step S113', the fifth random number generating part
22' generates the random number r.sub.5 (Step S114').
[0289] The fourth random number generating part 21' calculates
-r.sub.5.sup.-1 using the random number r.sub.5 and designates the
calculation result as r.sub.4 (Step S113').
[0290] Since the random number r.sub.4 is calculated using the
random number r.sub.5 in this way, the number of generations of
random numbers can be reduced.
[0291] If it is difficult to calculate an arbitrary element h of
the group H that satisfies a relation .theta.(g, h)=.nu. where
g.epsilon.G, the security does not deteriorate compared with the
fourth embodiment.
Ninth Embodiment
[0292] A proxy calculation system according to a ninth embodiment
differs from the proxy calculation system according to the fourth
embodiment in Step S115' and in that the requesting apparatus 1'
further comprises a pre-calculation part 29' shown by a dashed line
in FIG. 12 and is the same as the proxy calculation system
according to the fourth embodiment in the other respects. The
following description will be mainly focused on the differences
from the fourth embodiment.
[0293] The pre-calculation part 29' calculates g.sup.d1 using
d.sub.1 generated by the third random number generating part 27'.
This processing is performed after Step S112' and before Step
S115'.
[0294] The third input information calculating part 23' calculates
g.sub.2=.mu..sub.g.sup.r4g.sup.d1 using the previously calculated
g.sup.d1 (Step S115').
[0295] If the determination criterion is not satisfied in Step
S114', the process from Step S11' to Step S123' is repeated, and
when the process is repeated, the previously calculated g.sup.d1 is
reused. That is, the third random number generating part 27' does
not generate the random number d.sub.1, and the third input
information calculating part 23' calculates
g.sub.2=.mu..sub.g.sup.r4g.sup.d1 using the previously calculated
g.sup.d1. As a result, the number of generations of the random
number d.sub.1 can be reduced, and
g.sub.2=.mu..sub.g.sup.r4g.sup.d1 can be calculated in a shorter
time.
Tenth Embodiment
[0296] A proxy calculation system according to a tenth embodiment
differs from the proxy calculation system according to the fourth
embodiment in Step S216' and in that the requesting apparatus 1'
further comprises a pre-calculation part 49' shown by a dashed line
in FIG. 13 and is the same as the proxy calculation system
according to the fourth embodiment in the other respects. The
following description will be mainly focused on the differences
from the fourth embodiment.
[0297] The pre-calculation part 49' calculates h.sup.d2 using
d.sub.2 generated by the eighth random number generating part 47'.
This processing is performed after Step S212' and before Step
S216'.
[0298] The eighth input information calculating part 44' calculates
h.sub.4=.mu..sub.h.sup.r10.sigma.h.sup.d2 using the previously
calculated h.sup.d2 (Step S216').
[0299] If the determination criterion is not satisfied in Step
S214', the process from Step S21' to Step S223' is repeated, and
when the process is repeated, the previously calculated h.sup.d2 is
reused. That is, the eighth random number generating part 47' does
not generate the random number d.sub.2, and the eighth input
information calculating part 44' calculates
h.sub.4=.mu..sub.h.sup.r10.sigma.h.sup.d2 using the previously
calculated h.sup.d2. As a result, the number of generations of the
random number d.sub.2 can be reduced, and
h.sub.4=.mu..sub.h.sup.r10.sigma.h.sup.d2 can be calculated in a
shorter time.
Modifications of Fourth to Tenth Embodiment
[0300] When each of the first random number generating part 11',
the second random number generating part 12', the third random
number generating part 27', the fourth random number generating
part 21', the fifth random number generating part 22', the sixth
random number generating part 31', the seventh random number
generating part 32', the eighth random number generating part 47',
the ninth random number generating part 41' and the tenth random
number generating part 42' generates a uniform random number, the
security of the proxy calculation system is at the highest level.
However, when such a high security level is not required, each of
the first random number generating part 11', the second random
number generating part 12', the third random number generating part
27', the fourth random number generating part 21', the fifth random
number generating part 22', the sixth random number generating part
31', the seventh random number generating part 32', the eighth
random number generating part 47', the ninth random number
generating part 41' and the tenth random number generating part 42'
may generate a random number that is not a uniform random
number.
[0301] The first determining part 28' may perform the processing
each time an information set is added to the lists L.sub.1 and
L.sub.2. For example, in the case where the second list storage
part 26' stores the information set (d.sub.1, r.sub.5,
z.sub.2.nu..sup.r4r5), the processing of Step S124' may be
performed after Step S111'.
[0302] Similarly, the second determining part 48' may perform the
processing each time an information set is added to the lists
L.sub.3 and L.sub.4.
[0303] The fourth to tenth embodiments can be combined with each
other.
[0304] The parts of the requesting apparatus 1' may exchange data
directly or via a storage part (not shown). Similarly, the parts of
the calculating apparatus 2' may exchange data directly or via a
storage part (not shown).
[0305] Each of the requesting apparatus 1' and the calculating
apparatus 2' can be implemented by a computer. In this case,
specific processings of the functions that the apparatus has to
have are described in a program. The computer executes the program,
thereby implementing each processing function of the apparatus.
[0306] The program that describes the specific processings can be
recorded in a computer-readable recording medium. As an alternative
to using a computer that executes a predetermined program to
provide these apparatuses, at least part of these specific
processings may be implemented in a hardware form.
[0307] The first to third embodiments and the fourth to tenth
embodiments may be combined with each other. For example, as
illustrated in FIG. 17, the calculating apparatus 2 according to
the first to third embodiments may comprise the requesting
apparatus 1' according to the fourth to tenth embodiments, and the
calculating apparatus 2 comprising the requesting apparatus 1' may
calculate the function f using the calculating apparatus 2' as
described above with regard to the fourth to tenth embodiments.
[0308] More specifically, in order to calculate the function f(x)
that needs to be calculated, the calculating apparatus 2 uses the
calculating apparatus 2' to calculate the value of the
corresponding map .theta.(g, h). The map .theta.(g, h)
corresponding to the function f(x) is a map .theta.(g, h) that
outputs the same value as the function f(x) for a given function f
and a given value x. If there is a relation f(x)=.theta.(x, h) for
an element h.epsilon.H, a map 0 corresponding to f(x) is .theta.(x,
h).
[0309] For example, in the Boneh/Franklin ID-based encryption
described in Reference 1, a decryption function for a certain ID is
denoted by f. In this ID-based encryption, finite groups G and H of
points on an elliptic curve and pairing .sigma.: G.times.H.fwdarw.F
are used. Q denotes an element of the group G. A secret key of a
key distribution center for the ID-based encryption is denoted by
s, and a public key is denoted by P=sQ. Public parameters of the
ID-based encryption are descriptions of the groups G and H, a
description of the pairing .tau., and Q and P.
[0310] [Reference 1] Dan Boneh, Matt Franklin, "Identity-Based
Encryption from the Weil Pairing", CRYPTO 2001, LNCS 2139, pp.
213-229, 2001.
[0311] Issue of a key occurs as described below. The key
distribution center calculates P.sub.ID=sQ.sub.ID for an element
Q.sub.ID of the group H that depends on the ID and notifies a
holder of the ID of the P.sub.ID=sQ.sub.ID. P.sub.ID is a secret
key of the holder of the ID. The decryption function f: G.fwdarw.F
is defined as f(x)=.tau.(s, P.sub.ID).
[0312] Generation of a cipher text and decryption of the cipher
text occur as described below. A plain text m is encrypted for an
ID by generating a random number r and calculating (Q.sup.r,
m(+)H(.tau.(P.sup.r, Q.sub.ID))), which is a cipher text (C.sub.1,
C.sub.2). The cipher text is decrypted into the plain text by
calculating C.sub.2(+)H(f(C.sub.1)) for the cipher text (C.sub.1,
C.sub.2). Note that H denotes a hash function, and (+) denotes
exclusive OR.
[0313] In the Boneh/Franklin ID-based encryption, the map 0 for the
function f(x) is defined using the pairing .tau., for example.
Specifically, f(x)=.tau.(x, P.sub.ID).
[0314] In the case where the calculating apparatus 2 is an IC card
or a cellular phone, which is not susceptible to extraction of
secret information but has a limited computational capacity,
combining multiple requesting apparatuses and multiple calculating
apparatuses in this way is advantageous.
[0315] The present invention is not limited to the embodiments
described above, and various modifications can be made as required
without departing from the spirit of the present invention.
* * * * *